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Global experience 


The International Association of Oil & Gas Producers has access to a wealth of technical 
knowledge and experience with its members operating around the world in many different 
terrains. We collate and distil this valuable knowledge for the industry to use as guidelines 
for good practice by individual members. 


Consistent high quality database and guidelines 


Our overall aim is to ensure a consistent approach to training, management and best prac- 
tice throughout the world. 


The oil and gas exploration and production industry recognises the need to develop consist- 
ent databases and records in certain fields. The OGP’s members are encouraged to use the 
guidelines as a starting point for their operations or to supplement their own policies and 
regulations which may apply locally. 


Internationally recognised source of industry information 


Many of our guidelines have been recognised and used by international authorities and 
safety and environmental bodies. Requests come from governments and non-government 
organisations around the world as well as from non-member companies. 


Disclaimer 


Whilst every effort has been made to ensure the accuracy of the information contained in this publication, 
neither the OGP nor any of its members past present or future warrants its accuracy or will, regardless 
of its or their negligence, assume liability for any foreseeable or unforeseeable use made thereof, which 
liability is hereby excluded. Consequently, such use is at the recipient's own risk on the basis that any use 
by the recipient constitutes agreement to the terms of this disclaimer. The recipient is obliged to inform 
any subsequent recipient of such terms. 


This document may provide guidance supplemental to the requirements of local legislation. Nothing 
herein, however, is intended to replace, amend, supersede or otherwise depart from such requirements. In 
the event of any conflict or contradiction between the provisions of this document and local legislation, 


applicable laws shall prevail. 
Copyright notice 


The contents of these pages are © The International Association of Oil and Gas Producers. Permission 
is given to reproduce this report in whole or in part provided (i) that the copyright of OGP and (ii) 
the source are acknowledged. All other rights are reserved.” Any other use requires the prior written 


permission of the OGP. 


These Terms and Conditions shall be governed by and construed in accordance with the laws of Eng- 
land and Wales. Disputes arising here from shall be exclusively subject to the jurisdiction of the courts of 
England and Wales. 
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1.0 Scope and Definitions 
1.4 Application 


This report contains guidance material for Human Factors (HF) studies within the 
various forms of risk and error assessment and analysis. It defines the terminology 
used in such studies, and includes information on applicable legislation, guidelines and 
standards; process descriptions and techniques. 


In Safety, Health and Environment, Human Factors (also called ergonomics) is 
concerned with "environmental, organisational and job factors, and human and 
individual characteristics, which influence behaviour at work in a way which can affect 
health and safety" [1]. As a multidisciplinary field involving psychology, physiology, and 
engineering, among other disciplines, Human Factors is a broad subject. It is involved 
in the design, development, operation and maintenance of systems in all industrial 
sectors. This datasheet aims to provide the user with a greater awareness of Human 
Factors theory and practice 


It should be borne in mind that much of the material used in human factors is drawn 
from a number of industry sources. Hence, for example human error rates are often 
context specific (i.e. using data based upon error rates for control room operators it will 
be necessary to determine if it requires some modification when considering error rates 
in a different environment). 


It is important to understand the processes that can be followed for Human Factors 
since they often utilise a number of similar techniques. This datasheet outlines the 
processes and makes reference to the techniques. 


In Section 2.0, nine HF processes are described as follows: 
Human Factors in Offshore Safety Cases 
Human Factors in UK Onshore Safety Cases 
. Workload Assessment 


Human Error Identification 


1. 

2. 

3 

4 

5. Human Reliability Assessment 

6. Human Factors in Loss of Containment Frequencies 

7. Human Factors in the determination of event outcomes 

8. Human Factors in the assessment of fatalities during escape & sheltering 
9 


Human Factors in the assessment of fatalities during evacuation, rescue and 
recovery 


1.2 Definitions and Terminology of HF 
1.2.1 Definitions 
‘Human Factors’ or ‘Ergonomics’ can be defined [2] as: 


"that branch of science and technology that includes what is known and theorised about 
human behavioural and biological characteristics that can be validly applied to the 
specification, design, evaluation, operation, and maintenance of products and systems to 
enhance safe, effective, and satisfying use by individuals, groups, and organisations". 
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Put simply, this means "designing for human use". The user or operator is seen as a 
central part of the system. Accident statistics from a wide variety of industries reveal 
that Human Factors, whether in operation, supervision, training, maintenance, or 
design, are the main cause of the vast majority of incidents and accidents. 


Human Factors attempts to avoid such problems by fitting technology, jobs and 
processes fo people, and not vice versa. This involves the study of how people carry out 
work-related tasks, particularly in relation to equipment and machines. When 
considering the use of HF technology in safety-related systems, it is worth noting a 
further Human Factors definition [1]: 


"environmental, organisational and job factors, and human and individual characteristics, which 
influence behaviour at work in a way which can affect health and safety" 


Human Factors or ergonomics is generally considered to be an applied discipline that is 
informed by fundamental research in a number of fields, notably psychology, 
engineering, medicine (physiology and anatomy) and sociology. 


1.2.2 Terminology 


The term *Human Factors" has many synonyms and related terms. Most of these are 
shown below, with explanation of key differences where generally agreed: 


Ergonomics - the term ergonomics literally means “laws of work”. It is the traditional 
term used in Europe, but is considered synonymous with “Human Factors”, a North 
American-derived term. Some associate the term ergonomics more with physical 
workplace assessment, but this is an arbitrary distinction. Other terms include Human 
Engineering and Human Factors Engineering 


Cognitive Ergonomics or Engineering Psychology - this is a branch of Human Factors or 
ergonomics that emphasises the study of cognitive or mental aspects of work, 
particularly those aspects involving high levels of human-machine interaction, 
automation, decision-making, situation awareness, mental workload, and skill 
acquisition and retention. 


Human-Machine Interaction (HMI) or Human-Computer Interaction (HCl) — the applied study 
of how people interact with machines or computers. 


Working Environment - this emphasises the environmental and task factors that affect 
task performance. 
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2.0 Human Factors Process Descriptions 
2.4 Human Factors in Offshore Safety Cases 
2.1.4 Rationale 


The UK's Offshore Safety Case Regulations came into force in 1992. A 'Safety Case' is a 
written document within which the company must demonstrate that an effective 
management system is in place to control risks to workers and, in particular, to reduce 
to a As Low As Reasonably Practicable (ALARP) the risks from a major accident. The 
duty holder (owner or operator) of every offshore installation operating in British waters 
is required to prepare a 'Safety Case' and submit it to the UK HSE Offshore Safety 
Division for formal acceptance. 


The main thrust of a Safety Case is a demonstration by the installation operator that the 
risks to the installation from Major Accident Hazards (MAH) have been reduced to 
ALARP. Traditionally the offshore industry has found it difficult to integrate Human 
Factors into the Safety Cases. Although there is a requirement to address human factor 
issues, the guidance has been unclear on how this should be achieved. A variety of 
tools and techniques have been initiated by a legislative focus and these are used to 
varying degrees by different operators. 


There are two sections within Safety Cases that are of high importance, the Safety 
Management System and Risk Assessment sections. Within these are a number of 
factors that should be addressed in order to meet the legislative requirements of the 
Safety Case. 


2.1.2 Stages 


The main part of the safety case which Human Factors issues are relevant to is the 
Safety Management System (SMS). Within the SMS there are a number of areas that 
should demonstrate the consideration of Human Factors issues. Areas include: 


Human Reliability And Major Accident Hazards 


The management system should demonstrate suitable methods for ensuring human 
reliability and the control of major accident hazards. Offshore installation risk 
assessments consist of both quantitative and qualitative components, considering the 
following: 


e Hazard Identification 
* Assessment of Consequences 
e Prevention, detection, control, mitigation, and emergency response. 


Key approaches, both qualitative and qualitative, include HAZOPs and other Hazard 
Identification (HAZID) techniques. HAZOP is an identification method designed 
predominantly for the identification of hardware and people related hazards. 
Engineering system HAZOPs are generally poor in their coverage of human factor 
issues though this is mainly due to the knowledge and expertise of the participants and 
the facilitator. Specific Human Factors and Procedural HAZOPs are available for use. 
Structured What IF Technique (SWIFT) is an increasingly used technique for hazard 
identification that is particularly good for examining organisational and Human Factors 
issues. 
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Workforce Involvement 


A key component in the effectiveness of the management of installation MAHs is the 
involvement of the workforce in the identification of MAHs and the development of 
specific prevention, detection, control, mitigation and emergency response measures. 
Involving the workforce helps to ‘buy-in’ support and ensure personnel are well 
informed of changes. This is a key aspect required by the UK HSE when it decides on 
the acceptance of the Safety Case and has been reinforced by changes in 2005 "By 
involving the workforce, they become more familiar with how they manage their safety 
in their day to day operations, enabling the safety case to be part of their daily 
operations, achieving the objective of having a ‘live’ safety case." 


Incident and Accident Investigation 


The RIDDOR regulations state that reporting of accidents and incidents is mandatory. 
Efforts are being made to increase the reporting levels of near miss incidents [3]. 
Incident and accident investigation is a formal requirement within an effective safety 
management system. It is one of the key tools for continuous improvement, a 
requirement for demonstrating continuous safe operation and that risks are being 
continuously driven to ALARP. 


Safety Culture and Behavioural Safety (Observational Based Programs) 


Many offshore installations now operate a behavioural safety programme within the 
management system. Behavioural safety programmes may be a proprietary package or 
developed in-house specifically for the operator's organisation. A variety of behavioural 
safety programmes are available and are designed to improve the safety culture of the 
organisation [4]. 


There are also methods and proprietary packages for the assessment and monitoring of 
an organisation's safety culture and climate. 


Emergency Response 


The safety management system should make consideration of the following areas of 
emergency response: 


* Emergency egress and mustering i.e. consideration of the route layout, alarm 
sounding etc in relation to various foreseeable accident scenarios. 


e Evacuation and rescue modelling. This is vital for identifying the weakness / 
effectiveness of procedures 


* Demonstration of a good prospect of rescue and recovery in accordance with the 
Prevention of Fire, Explosion and Emergency Response (PFEER) regulations. 


* Emergency training and crisis management, i.e. regular drills are held offshore on a 
weekly basis. 


e Survival Training. This is given to all offshore personnel and is refreshed on a 
regular basis, the intervals being defined by age scales. 
Work Design 


The inclusion and consideration of personnel's working arrangement is an important 
part of the Safety Case. It can impact heavily upon the working performance and safety 
behaviours of personnel. Current research is looking into the implications of shift work 
on safety behaviours [5]. 
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Of further importance is the handover process by personnel between shifts. 


Workload and Manning Levels 


Efforts have been made to reduce manning levels on installations to a safe operational 
minimum. Various methods are available to enable risk assessment of these manning 
levels (see Section 2.3). 


Permit to Work Systems 


The UK HSE and the Norwegian Oil Industry Association (OLF) have published guidance 
for onshore and offshore activities [6], [7]. 


Working Environment 


Key working environment issues offshore include lighting, access for maintenance and 
operation, noise, vibration and exposure to weather. All of these affect the operator's 
ability to work effectively. The UK HSE is currently reviewing legislative requirements to 
bring them in line with the Norwegian NORSOK standards. 


Training and Competency Assurance 


Training and competency assurance is increasingly being recognised as a vital human 
factors issue. Demonstration of personnel training and competency is a requirement 
within the safety management system. Training needs of personnel should be identified 
and competency demonstrated and verified by an appropriate authority [8]. 


In addition to the demonstration that an effective safety management system is in place, 
the Safety Case should demonstrate that the major accident hazards on the installation 
have been identified and controlled. This can be demonstrated through the use of Safety 
Critical Task Analysis in addition to complementary methods of analysis such as 
Quantified Risk Assessment, HAZOPs and HAZID techniques. 


2.2 Human Factors in UK Onshore Safety Cases 
2.2.4 Rationale 


It is generally understood that virtually all major accidents include Human Factors 
among the root causes and that prevention of major accidents depends upon human 
reliability at all onshore sites, no matter how automated. 


Assessment is a team process; it is important that the team members do not examine 
their topic in isolation, but in the context of an overall ALARP demonstration. 


2.2.2 Stages 
2.2.2.1 Identify potential for human failures 


The COMAH safety report needs to show that measures taken and SMS are built upon a 
real understanding of the potential part that human reliability or failure can play in 
initiating, preventing, controlling, mitigating and responding to major accidents. 
Occasionally quantitative human reliability data is quoted: this should be treated with 
caution. Local factors make considerable impacts so generic data, if used, must be 
accompanied by an explanation as to why it is applicable for the site. 
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2.2.2.2 Choosing and justifying the measures 


Few COMAH safety reports justify or explain how the choice is made between functions 
that are automatic and those that are manual. Yet this can be key to showing that all 
necessary measures are in place or that risks are ALARP, following principles of 
inherent safety. 


There should not be over reliance on training and procedures in place of reasonably 
practical physical measures. 


2.2.2.3 Implementing control measures 


Once the potential human contribution has been identified, this should be reflected in 
the choice and design of measures in place. All sites rely to a degree on compliance 
with procedures. Yet many sites have areas of ineffective compliance rates and few, if 
any, will ever reach 100%. Therefore regular reviews should be conducted of safety 
critical procedures. 


2.2.2.4 Management assurance 


The main functions of a safety management system are to bring consistency and 
discipline to the necessary measures by means of a quality assurance system by 
maintaining good industry practice (which under pins the ALARP argument). This is 
done by completing documentation, audit and control; and to ensure continuous 
improvements towards ALARP by means of capturing lessons learned and setting and 
meeting appropriate targets in relation to the major accident hazard. 


The UK HSE has funded research into creating a model that allowed the easy integration 
of HF issues into the identification of major chemical hazards, safety management 
systems for managing those hazards and related organisational issues. Although, the 
research for this model is based on onshore industries, the principles within it could 
also be applied to the offshore industry. This model was trialled in a workshop with UK 
HSE specialists from a broad range of industries. The feedback was both positive and 
negative with a summary being that the model was usable but required packaging 
differently so that it could be more easily understood and applied by a wider audience 


[9]. 


2.3 Workload Assessment 
2.3.1 Rationale 


The construct of workload has no universally acceptable definition. Stein [10] uses the 
following definition: 


"The experience of workload is based on the amount of effort, both physical and psychological, 
expended in response to system demands (task load) and also in accordance with the 
operator's internal standard of performance." (p. 157). 


Put simply, workload problems occur where a person has more things to do than can be 
reasonably coped with. Workload can be experienced as either mental, or physical, or 
both, and will be associated with various factors, such as: 


* Time spent on tasks. 


* Number, type (e.g. manual, visual), and combination of tasks. 
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* Task pacing and scheduling. 

* Operator experience, state, and perceptions. 

* Environmental factors (e.g. noise, temperature). 
e Time, in relation to work-sleep cycle. 


Problems with workload can occur when workload is too high (overload) or too low 
(underload). Some examples of causes of workload are shown in Table 2.1. 


Table 2.1 Some Examples of Causes of Excessive and Insufficient 


Workload 
EXCESSIVE WORKLOAD INSUFFICIENT WORKLOAD 
Rapid task scheduling (e.g. excessive task Slow or intermittent task scheduling (e.g. 
cycle times). downtime). 
Signals occurring too rapidly, particularly in Signals occurring infrequently (e.g. 
the same sensory modality (e.g. several visual | monitoring a radar display in an area of very 
alarms presented at the same time). low activity). 
Unfamiliarity or lack of skill (e.g. a trainee Excessive skill relative to job (e.g. a highly 
operator keeping up with a fast production skilled operator packing boxes). 
line). 
Complexity of information (e.g. an air traffic Monotonous or highly predictable 
controller dealing with traffic at various information 
speeds, directions, at flight levels). 
Personal factors (e.g. emotional stress). 


At the upper limits of human performance, excessive workload may result in poor task 
performance and operator stress. Underload, may be experienced as boredom, with 
associated distraction. Both may result in ‘human error’ - failing to perform part of a 
task, or performing it incorrectly. 


Workload assessment may be used as part of the investigation of several problems, 
such as: 


* Manning requirements and de-manning. 
* Shift organisation. 

* Information and HMI design. 

* Job design. 

e Team design. 


2.3.2 Stages 
2.3.2.1 Problem definition 


First determine whether the problem is one of excessive or insufficient task load, and 
whether the workload is primarily physical or mental. Then investigate, by discussing 
with operators and supervisors, the source of the workload problem, e.g.: 


* Manning arrangements - too many or too few operators will cause workload 
problems. 
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Shift organisation - poor shift organisation can result in manning problems, but may 
have other effects such as fatigue, which will have further effects on workload. 


Information and HMI design - problems with information display (e.g. too much, 
poorly organised, badly designed, etc.) can overload the operator. 


Job design - poor task scheduling or organisation can lead to under- or overload. 


Team design and supervision - poor team design and supervision may result in 
some operators being overloaded or underloaded. 


Competing Initiatives - Competition between teams can be good for productivity but 
can also lead to an increase in operator workload as more tries to be carried out in 
the same period of time. 


Unreliable hardware — If machinery is constantly failing then maintainers and 
operators will have to work harder to achieve a reasonable level of performance. 


2.3.2.2 Collection of background information 


Important background information may include: 


Number of operators (and number affected by workload problem). 

Operator availability (particularly for safety-critical tasks). 

Cover arrangements for sickness, holiday/vacation, training, etc. 

Team design. 

Approximate percentages of time operators spend on different tasks. 
Extraneous operator duties (e.g. fire crew, first aid, forklift truck driver, etc.). 
Shift pattern/working hours. 

Overtime arrangements. 

Management and supervision (level of supervisor). 

Previous incidents associated with workload. 


Environmental and physiological information (heat, etc). 


2.3.2.3 Selection and application of assessment method 


The assessment method required will depend upon the source of the workload problem: 


Manning arrangements 

Shift organisation 

Information and Human-Machine Interface (HMI) design 
Job design (see Human Error Identification) 


Team design and supervision 


In addition, a number of other more direct measures of workload are available. These 
can be divided into the following categories: 


Primary task performance - indicates the extent to which the operator is able to 
perform the principal work mission (e.g. production to schedule). These types of 
measures can be difficult to implement and have little sensitivity when highlighting 
problem areas. 
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Secondary task performance - these measures involve the operator performing two 
tasks, a primary and a secondary task. Both tasks are measured, but depending on 
the purpose and scope of the task, either the primary or secondary task is given 
priority. Errors or performance decrements may be measured. These techniques are 
generally only suited to simulated or experimental settings. 


Physiological and psycho-physiological techniques - these techniques measure a 
physiological function, and in the case of mental workload, one that is known to 
have some relationship with psychological functions. Examples include respiratory 
activity (physical workload), cardiac activity (mental and physical workload), brain 
activity (mental workload), and eye activity (mental workload). Again, these 
measures generally require a base-line (or control) for that participant to be recorded 
so that the 'delta' as a result of that variable can be established. 


Subjective assessment techniques - these techniques provide an estimate of workload 
based on judgement, usually by the person undertaking the task. 


Task analytic techniques - these techniques aim to predict mental workload at an 
earlier stage of the system life-cycle, using task analysis and time-line analysis. The 
rationale is that the more time is spent on tasks, especially overlapping or 
concurrent ones, the greater the workload. The approaches assume that mental 
resources must be limited and use various models of mental workload. These 
techniques can also be used to highlight simple workload conflicts such as an 
operator not being in the location of an alarm when necessary. 


In practical settings, the main techniques for workload assessment are subjective and 
analysis specific tasks or sub-tasks. Some examples of these techniques are shown in 
Table 2.2. These are mainly intended for the assessment of mental workload, but must 
involve some physical component. 


However, they are not suitable for purely physical tasks (e.g. assessing physical 
fatigue). Also, most were developed for the aviation industry, but may be adapted fairly 
easily for other industries. 


Table 2.2 Some Subjective and Task Analytic Workload Assessment 
Techniques 


TYPE / METHOD DESCRIPTION 


Subjective Techniques 


Uni-dimensional rating 
scales 


Assess workload along a single dimension with a verbal 
descriptor (e.g. Workload), with a scale (e.g. ‘Low’ to ‘High’). 


10cm line 


Workload is simply rated on a scale from 1 to 10. 


Modified Cooper- 
Harper Scale 


Scale developed for use with pilots, with scale descriptors of 
mental effort. 


Bedford Rating Scale 


Developed from the Modified Cooper-Harper Scale. 
Descriptors make reference to spare mental capacity. 


Multi-dimensional 
Rating Scales 


Assess the different factors that are thought to contribute to 
workload. More diagnostic than uni-dimensional scales. 


NASA-TLX 


Assesses six dimensions: mental demand, physical demand, 
temporal demand, performance, effort, and frustration. 
Ratings are made on a scale from 1 to 20, then the 
dimensions are weighted using a paired comparisons 
technique. The weighted ratings can be summed to provide 
an overall score. 
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TYPE / METHOD 


DESCRIPTION 


General 
Questionnaires and 
Interviews 


General questionnaires can be developed and applied, or 
interviews can be conducted, to ask about specific aspects 
of workload, e.g. how much, when, who, why, etc. 


Instantaneous 
Assessment 


Measures that can ‘track’ workload over a time period, 
allowing investigation of workload peaks and troughs. 


Instantaneous Self 
Assessment (ISA) 


Workload is rated at specific intervals on a scale of 1 (under- 
utilised) to 5 (excessive). The operator presses one of five 
buttons every two minutes, when signalled by a flashing 
light. The results for all operators are fed to a computer 
terminal for observation. 


C-SAW 


The operator watches a video replay of the task and applies a 
rating on a scale of 1 to 10 using the Bedford Scale. 


Task Analytic Techniques 


Timeline analysis 


Timeline analysis is a general; task analysis technique that 
maps operator tasks along the time dimension, taking 
account of frequency and duration, and interactions with 
other task and personnel. This method is most suited to 
tasks that are consistently structured (in terms of task steps, 
durations, frequency, etc), with little variation in how they are 
performed. Workload can be rated in retrospect (by an 
expert) on a 5- or 6- point scale from 0% to 100%. 


Timeline Analysis and 
Prediction (TLAP) 


A timeline analysis is conducted for observable tasks and 
their durations. The tasks are assumed to have different 
channels: vision (looking); audition (listening); hands 
(manipulating by hand); feet (using feet); and cognition 
(thinking). By observing and listening to the operator, an 
estimate can be made of the amount of time required for each 
task. 


Visual, Auditory, 
Cognitive, 
Psychomotor 


This uses experience subject matter experts to rate a variety 
of tasks between 0 (no demand) to 7 (highest demand) to the 
following workload channels: visual; auditory; cognitive and 
psychomotor (movement). The demand on the channels is 
summed to give a score, and a scope is available for 
‘excessive workload’. 


Workload Index 
(W/INDEX) 


W/INDEX is based on Wickens’ Multiple Resource Theory, 
which describes humans as fixed capacity information 
processors with access to different pools of resources. Six 
channels are used: visual, auditory, spatial cognition, verbal 
cognition, manual response, and voice response. W/INDEX 
also tries to weight the interference between channels (e.g. 
speaking and listening to speech at the same time). 


Micro-SAINT 


Micro-SAINT is a computer simulation that simulates the 
operator activities in responding to events. 


Sometimes, techniques may be used with the entire population of operators affected. At 
other times, it may be necessary to apply the technique on a sample of operators. This 
will depend on the scope of the project, and the number of operators affected by the 


workload problem. It may be sensible to employ more than one technique. 
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2.3.2.4 Workload smoothing 


If workload is excessive or insufficient, it may be necessary to redesign the task, job, or 
equipment, or re-organise the shift pattern, manning arrangements, etc. A sample of 
operators should be involved in this process. 


2.4 Human Error Identification 
2.4.4 Rationale 


Human Error Identification (HEI) is a generic term for a set of analytical techniques that 
aim to predict and classify the types of human errors that can occur within a system so 
that more effective and safer systems can be developed. HEI can be either a standalone 
process or part of a wider Human Reliability Assessment (HRA) (see Section 2.5). 


The concept of human error is at the heart of HRA and HEI. Reason [11] defines human 
error as: 


"a generic term to encompass all those occasions in which a planned sequence of mental or 
physical activities fails to achieve its intended outcome, and when these failures cannot be 
attributed to the intervention of some chance agency" (p.9). 


HEI provides a comprehensive account of potential errors, which may be frequent or 
rare, from simple errors in selecting switches to 'cognitive errors' of problem-solving 
and decision-making. 


Some errors will be foreseen or 'predicted' informally during system development, but 
many will not. It is often then left to the operators to detect and recover from these 
errors, or automated systems to mitigate them. HEI can be a difficult task because 
humans have a vast repertoire of responses. However, a limited number of error forms 
occur in accident sequences, and many are predictable. HEI is an important part of HRA 
because errors that have not been identified cannot be quantified, and might not be 
addressed at all. Kirwan [12] considers that HEI is at least as critical to assessing risk 
accurately as the quantification of error likelihoods. HEI can also identify the 
Performance Shaping Factors (PSFs), which may be used in the quantification stage, 
and will be necessary for error reduction. 


HEI can be used for various types of error such as [13]: 

* Maintenance testing errors affecting system availability. 

* Operating errors initiating the event/incident. 

* Errors during recovery actions by which operators can terminate the event/incident. 
e Errors which can prolong or aggravate the situation. 


e Errors during actions by which operators can restore initially unavailable equipment 
and systems. 


Two models of human error underlie most techniques. The first is Rasmussen's [14] 
‘skill’, ‘rule’ and ‘knowledge’ (SRK) based performance distinction. The majority of 
physical, communication or procedural errors are ‘skill’ or ‘rule’ based whilst the 
majority of ‘cognitive’ errors of planning and decision-making are ‘knowledge-based’. 
The second model is Reason’s [11] distinction of slips, lapses and mistakes. Slips and 
lapses are: 


‘errors resulting from some failure in the execution and/or storage stage of an action sequence, 
regardless of whether or not the plan which guided them was adequate to achieve its 
objective’. 
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Slips are associated with faulty action execution, where actions do not proceed as 
planned. Lapses are associated with failures of memory. These errors tend to occur 
during the performance of fairly ‘automatic’ or routine tasks in familiar surroundings, 
and attention is captured by something other than the task in hand. Examples include 
misreading a display, forgetting to press a switch, or accidentally batching the wrong 
amount to a batch counter. 


Reason [11] also defines mistakes as: 


deficiencies in the judgmental and/or inferential processes involved in the selection of an 
objective or in the specification of the means to achieve it, irrespective of whether or not the 
actions directed by this decision-scheme run according to plan'. 


So intended actions may proceed as planned, but fail to achieve their intended outcome. 
Mistakes are difficult to detect and likely to be more subtle, more complex, and more 
dangerous than slips. Detection may rely on intervention by someone else, or the 
emergence of unwanted consequences. Examples include misdiagnosing the 
interaction between various process variables and then carrying out incorrect actions. 


Violations are situations where operators deliberately carry out actions that are contrary 
to organisational rules and safe operating procedures. 


2.4.2 Stages 

The first task is to determine the scope of the HEI, including: 
e Is it a standalone HEI or HRA study? 

e What are the types of tasks and errors to be studied? 

e What is the stage of system development? 

* Are there any existing HEls or task analyses? 

e What is the level of detail required? 


2.4.2.1 Task analysis 


HEI requires a thorough analysis of the task. This is because each stage of the task, and 
the sequence and conditions in which sub-tasks are performed, must be described 
before potential errors at each stage can be identified. ‘Task analysis’ covers a range of 
techniques for the study of what an operator is required to do to achieve a system goal. 
The most widely used method is called ‘Hierarchical Task Analysis’ or HTA. This 
produces a numbered hierarchy of tasks and sub-tasks, usually represented in a tree 
diagram format, but may also be represented in a tabular format. It will be necessary to 
decide the level of resolution or detail required. In some cases, button presses, 
keystrokes etc may need to be described, in other cases, description may be at the task 
level. An operator may need to be involved in the study. Once a task analysis has been 
developed, HEI can take place. 


2.4.2.2 Human Error Identification Worksheet 
A typical HEI worksheet may include the following information: 


e Task Step - this may be at button-press/key-stoke level or task level depending on 
the detail required. 


e External Error Modes (EEM) - the external failure keywords. 
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e Psychological Error Mechanisms (PEM) - underlying psychological process producing 
the error. 


e Causes and Consequences. 


e Safeguards and Recovery - automated safeguards and potential human recovery 
actions. 


e Recommendations - in terms of procedures, equipment, training, etc. 


2.4.2.3 Screening 


It is then necessary to comb through the HEI worksheets to find errors that are not 
adequately protected against by safe guards. In particular, where there are no 
technological safeguards and human recovery is required (especially the same 
operator), then such errors should be taken further forward for analysis (qualitative or 
quantitative). 


2.4.2.4 Human Error Reduction 


Human error reduction strategies or recommendations may be required where the 
safeguards in place are not adequate in light of the risk of human error. 
Recommendations may be made during the HEI or during the HRA itself, so this stage 
may involve reviewing such recommendations in light of the screening exercise. Human 
Factors should be considered during the implementation of solutions, and any 
recommendations should be considered in an integrated fashion, taking into account 
the context of the working environment and organisation. Kirwan [15] notes four types 
of error reduction: 


e Prevention by hardware or software changes - e.g. interlocks, automation. 


* Increase system tolerance - e.g. flexibility or self-correction to allow variability in 
operator inputs. 


e Enhance error recovery - e.g. improved feedback, checking, supervision, automatic 
monitoring. 


* Error reduction at source - e.g. training, procedures, interface and equipment 
design. 


Typically, error reduction might focus on the following: 
e Workplace design and Human Machine Interface 

* Equipment design 

* Ambient environment 

e Job design 

* Procedures 

* Training 

* Communication 

e Team work 

* Supervision and monitoring 


Often, error reduction strategies are not as effective as envisaged, due to inadequate 
implementation, a misinterpretation of measures, side-effects of measures (e.g. 
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operators removing interlocks), or acclimatisation to measures (especially if 
motivational). Hence, the efficacy of measures should be monitored. 


2.4.2.5 Documentation and Quality Assurance 


Results and methods are documented such that they are auditable. The rationale and all 
assumptions should be made clear. This is important for error reduction strategies to 
ensure that they remain effective and that the error reduction potential is realised and 
maintained. 


Ensure that the worksheets are reviewed by any operators involved. It is also useful to 
involve an independent auditor. HEI can become too reliant on the individual analyst, 
which can result in biases where the analyst loses sight of interactions, becomes too 
focused on detail, and the analysis becomes repetitive and routine. An external auditor 
(i.e. a second, independent assessor) can prevent this. 


2.4.3 Techniques 


A number of HEI techniques have been developed. Most existing techniques are either 
generic error classification systems or are specific to the nuclear and process 
industries, or aviation. These techniques range from simple lists of error types, to 
classification systems based around a model of how the operator performs the task. 


Some of the most popular techniques for Human Error Identification are: 
* Systematic Human Error Reduction and Prediction Process-SHERPA 
e Comprehensive Risk Evaluation And Management - CREAM 

* Human Factors Structured What IF Technique - SWIFT 

e Human Hazard and Operability Study - HAZOP 

* Human Failure Modes and Effects Analysis - FMEA 

2.5 Human Reliability Assessment 

2.5.4 Rationale 


Human error has been seen as a key factor associated with almost every major 
accident, with catastrophic consequences to people, property and the environment. 
Accidents with major human contributions are not limited to any particular parts of the 
world, or any particular industry, and include the Aberfan mining disaster (1966), the 
Bhopal chemical release (1984), the Chernobyl melt-down and radioactivity release 
(1986), the Piper Alpha platform explosion (1988) and the Kegworth air disaster (1989). 
The study of human error was given a major spur by the Three Mile Island accident 
(1979). 


Human Reliability Assessment (HRA) can be defined as a method to assess the impact 
of potential human errors on the proper functioning of a system composed of 
equipment and people. HRA emerged in the 1950s as an input to Probabilistic Safety (or 
Risk) Assessments (PSA or PRA). HRA provided a rigorous and systematic 
identification and probabilistic quantification of undesired system consequences 
resulting from human unreliability that could result from the operation of a system. HRA 
developed into a hybrid discipline, involving reliability engineers, ergonomists and 
psychologists. 


The concept of human error is at the heart of HRA. Reason [11] defines human error as: 
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"a generic term to encompass all those occasions in which a planned sequence of mental or 
physical activities fails to achieve its intended outcome, and when these failures cannot be 
attributed to the intervention of some chance agency" (p. 9). 


It is necessary to understand several aspects of the socio-technical system in order to 
perform a HRA. First, an understanding of the engineering of the system is required so 
that system interaction can be explored in terms of error potential and error impact. 
Second, HRA requires an appreciation of the nature of human error, in terms of 
underlying Psychological Error Mechanisms (PEMs) as well as Human Factors issues 
(called Performance Shaping Factors, PSFs) that affect performance. Third, if the HRA is 
part of a PSA, reliability and risk estimation methods must be appreciated so that HRA 
can be integrated into the system's risk assessment as a whole. 


A focus on quantification emerged due to the need for HRA to fit into the probabilistic 
framework of risk assessments, which define the consequences and probabilities of 
accidents associated with systems, and compare the output to regulatory criteria for 
that industry. If the risks are deemed unacceptable, they must be reduced or the system 
will be cancelled or shut down. Indeed, most HRAs are nowadays PSA-driven Human 
error quantification techniques which use combinations of expert judgement and 
database material to make a quantified assessment of human unreliability in situations 
where the actual probability of error may be small but where the consequences could be 
catastrophic and expensive. 


2.5.2 Stages 


The HRA approach has qualitative and quantitative components, and the following can 
be seen as the three primary functions of HRA: 


e Human Error Identification 
e Human Error Quantification 
e Human Error Reduction. 


The qualitative parts of HRA are the identification or prediction of errors (along with the 
preceding task analyses), the identification of any related PSFs such as poor 
procedures, system feedback, or training, and the subsequent selection of measures to 
control or reduce their prevalence. The quantitative part of HRA includes the estimation 
of time-dependent and time-independent human error probabilities (HEPs) and the 
estimation of the consequences of each error on system integrity and performance. 
These estimations are based on human performance data, human performance models, 
analytical methods, and expert judgement, described in more detail below. 


There are 10 stages to HRA [15]: 
Problem Definition. 

Task Analysis. 

Human Error Identification. 
Human Error Representation. 
Screening. 

Human Error Quantification. 


Impact Assessment. 


on 9 a fF © ND = 


Human Error Reduction. 
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9. Quality Assurance. 
10. Documentation. 


2.5.2.1 Problem Definition 
Determine the scope of the HRA, including: 
e |sita standalone or PSA driven assessment? 


* What are the types of scenarios, tasks (operation, maintenance, etc.) and errors to 
be studied? 


e What is the stage of system development? 


* What are the system goals for which operator actions are required, and how do 
safety goals fit in? 


e Is quantification is required - absolute or relative? 

e What is the level of detail required? 

e What are the risk assessment criteria (e.g. deaths, damage)? 

* Are there any existing HRAs (including HEls and task analysis)? 


This will require discussions with system design and plant engineers, and operational 
and managerial personnel. The problem definition may shift with respect to above 
questions as the assessment proceeds (e.g. the identification of new scenarios). 


2.5.2.2 Task analysis 


Task analysis is required to provide a complete and comprehensive description of the 
tasks that have to be assessed. Several methods may be used, such as Hierarchical 
Task Analysis or Tabular Task Analysis. The main methods of obtaining information for 
the task analysis are observation, interviews, walk-throughs, and examination of 
procedures, system documentation, training material. For a proceduralised task, HTA is 
probably most appropriate. Operational personnel should verify the task analysis 
throughout if possible. 


2.5.2.3 Human Error Identification 


Human Error Identification (HEI) is a generic term for a set of analytical techniques that 
aim to predict and classify the types of human errors that can occur within a system so 
that more effective and safer systems can be developed (see Section 2.4). 


2.5.2.4 Human Error Representation 


Representation allows the assessor to evaluate the importance of each error, and to 
combine risk probabilities of failures (hardware, software, human, and environmental). 
The main representation techniques used in HRA are Fault Tree Analysis (FTA) and 
Event Tree Analysis (ETA). These: 


e enable the use of mathematical formula to calculate all significant combinations of 
failures 


* calculate the probabilities 


* indicate the degree of importance of each event to system risk and 
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* allow cost-benefit analysis. 


FTA is a logical structure that defines what events must occur for an undesirable event 
to occur. The undesirable event is usually placed at the top of the FTA. Typically two 
types of gates are used to show how events at one level can proceed to the next level 
up but others do exist. The typical types of gates are: 


* OR gate - the event above this occurs if any one of the events joined below this gate 
occurs. 


* AND gate - the event above this occurs if a// of the events joined below this gate 
occur. 


FTA can be used for simple or complex failure paths, comprising human errors alone or 
a mixture of hardware, software, human, and/or environmental events. The structured 
events can be quantified, thus deriving a top event frequency. FTA is a good way of 
incorporating Human Errors that act as contributors to initiating events in the reliability 
assessment. One issue of consideration is the level of component data that is available 
(e.g. failure to perform a single action or as a result of the failure to carry out a task). 


ETA proceeds from an initiating event typically at the left-hand side of the tree, to 
consider a set of sequential events, each of which may or may not occur. This results 
normally in binary branches at each node, which continue until an end state of success 
or failure in safety terms is reached for each branch. ETA is a good way of representing 
the reliability of human actions as a response to an event, particularly where human 
performance is dependent upon previous actions or events in the scenario sequence. 
This is primarily because ETA represents a time sequence and most operator responses 
are based on a sequence of actions that usually have to be carried out in a pre-defined 
sequence. 


Within both FTA and ETA it is important to recognise the potential of the human to be a 
cause of dependent failure. This can either be through the fact that failure to carry out an 
initial part of the task influences the probability of succeeding in the remainder of the 
task, or that the same error is made when performing the task more than once. A good 
example of the potential for dependent failure to occur would be the faulty maintenance 
of redundant trains of equipment or miscalibration of multiple sets of instruments being 
carried out by the same team. Such errors must not be treated independently, since 
underestimation will result. Dependency is generally associated with mistakes rather 
than slips. Additionally poor procedures or working practices can also be a frequent 
cause of dependent failures. 


2.5.2.5 Screening 


Screening analysis identifies where the major effort in the quantification effort should be 
applied, i.e. those that make the greatest contribution to system risk. In general terms, it 
is usually easier to quantify error which refers to the failure to perform a single action. 
However it is also unusual to have sufficient resource to, for example, identify all the 
potential modes of maintenance error. Therefore a balance must be struck between the 
level of modelling and the criticality of the failure. The Systematic Human Action Reliability 
Procedure (SHARP) defines three methods of screening logically structured human 
errors: 


l. Screening out human errors that could only affect system goals if they occur in 
conjunction with an extremely unlikely hardware failure or environmental event. 


ll. Screening out human errors that would have negligible consequences on system 
goals. 


©OGP 


RADD - Human factors in QRA 


lll. Assigning broad probabilities to the human errors based on a simple 
categorisation, e.g. as given in Table 2.3. 


Table 2.3 Generic Human Error Probabilities [15] 


CATEGORY FAILURE 
PROBABILITY 

Simple, frequently performed task, minimal stress 10^ 

More complex task, less time variable, some care necessary 10? 

Complex unfamiliar task, with little feedback, and some 10" 

distractions 

Highly complex task, considerable stress, little performance 3x10" 

time 

Extreme Stress, rarely performed task 10° (= 1) 


Note: Table 2.7 also contains some generic human error probabilities from a different source 


2.5.2.6 Human Error Quantification 


Human Error Quantification techniques quantify the Human Error Probability, defined as: 


Numberferroræbserved 


HEP = — —— ———— — —— — — 
Numberof opporturiéts forerrot 


Human error quantification is perhaps the most developed phase of HRA, yet there is 
relatively little objective data on human error. Some human error databases are now 
becoming available [15], [16]. The use of expert judgement is therefore required with 
some of the available techniques that use existing data, where it exists. 


Most of the best tools available are in the public domain. 


2.5.2.7 Impact Assessment 
In order to consider impacts, the results of HRA can be: 


* used as absolute probabilities and utilised within PSAs. It would be necessary to 
demonstrate whether human error was a major contributor to inadequate system 
performance, via analysis of the fault tree to determine the most important events. 
Here, HEPs would be used in conjunction with system models to demonstrate that 
the system meets acceptable criteria. 


* used comparatively to compare alternative work systems to determine which 
constitute the higher relative risk and therefore the higher priority for action. 


2.5.2.8 Quality and Documentation Assurance 


The HRA process must be documented clearly such that they are auditable. Rationale 
and all assumptions should be clear, so that the study can be audited, reviewed (e.g. in 
the case of a future accident), updated or replicated if necessary. 


2.5.3 Techniques 


Widely used and available techniques for HRA are: 
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* HEART (Human Error Assessment and Reduction Technique) 
e THERP (Technique for Human Error Rate Prediction) 
e APJ (Absolute Probability Judgement) 


2.6 Human Factors in Loss of Containment Frequencies 
2.6.1 Rationale 


This section describes how Human Factors methods can be used to estimate the human 
error component of loss of containment (LOC) frequencies. 


According to some sources, the identification of management mechanisms which could 
have prevented or recovered unsafe conditions leading to Loss of Containment 
accidents, indicates that some 90% of LOC accidents are preventable. However, before 
an accident can be prevented the hazard associated with it needs to be identified and 
mitigated. These, accidents can be modelled and quantified by estimating the Human 
Error rate and probability associated with the event. This in turn can be used to 
determine whether the mitigation is truly ALARP. 


2.6.2 Stages 


To be able to estimate the human error component of LOC, three activities that need to 
take place: 


1. The human errors need to be established that lead to the LOC 
2. The probability of that error occurring needs to be calculated. 


3. If there is more than one error, this needs to be combined correctly to provide an 
accurate result. 


2.6.2.1 Establishing the Human Errors 


Before the errors can be assessed their cause and direct consequence need to be 
established. This can be established systematically using Hierarchical Task Analysis, or 
from expert opinion via a HAZID, HAZOP or OSHA. 


These error and events can then be logged and verified as being valid before being 
combined with the probability data. 


Most people only consider operator errors when looking for the sources of error. 
However, examination of major accidents shows management failures to often underlie 
these errors in the following organisational areas [17]: 


* Poor control of communication and coordination: 
- between shifts; 


- upward from front line personnel to higher management in the organisational 
hierarchy and downward in terms of implementing safety policy and standards 
throughout the line of management (particularly in a multi-tiered organisation); 


- between different functional groups (e.g. between operations and maintenance, 
between mechanical and electrical); 


- between geographically separated groups; 
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- in inter-organisational grouping (particularly where roles and responsibilities 
overlap) such as in the use of sub-contractors, or in an operation which requires 
the co-ordination of multiple groups within the same operational "space"; 


- in heeding warnings (which is one of the important manifestations of the above 
where the indicators of latent failures within an organisation become lost or 
buried). 


e Inadequate control of pressures: 
- in minimising group or social pressures 
- incontrolling the influence of workload and time pressures 
- of production schedules 


- of conflicting objectives (e.g. causing diversion of effort away from safety 
considerations) 


e inadequacies in control of human and equipment resources: 


- where there is sharing of resources (where different groups operate on the same 
equipment), coupled with communication problems, e.g. lack of a permit-to-work 
(PTW) system. 


- where personnel competencies are inadequate for the job or there is a shortage 
of staff 


- particularly where means of communication are inadequate 


- where equipment and information (e.g. at the man-machine or in support 
documentation) are inadequate to do the job 


* Rigidity in system norms such that systems do not exist to: 


- adequately assess the effects and requirements of change (e.g. a novel situation 
arises, new equipment is introduced) 


- upgrade and implement procedures in the event of change 
- ensure that the correct procedures are being implemented and followed 


- intervene when assumptions made by front line personnel are at odds with the 
status of the system 


- control the informal learning processes which maintain organisational rigidity 


These are types of failure which can be addressed in a Safety Management System 
(SMS) audit to derive an evaluation of the management system. 


Further work had been carried out to look at the effectiveness of these error 
establishing processes. In a study of accidents [18], [19] in the chemical processing 
industry sponsored by the UK Health and Safety Executive, around 1000 loss of 
containment accidents from pipework and vessels from onshore chemical and 
petrochemical plants were analysed, and the direct and underlying causes of failure 
were assessed. 


The underlying causes were defined in terms of a matrix which expressed (a) the activity 
in which the key failure occurred, and (b) the preventive mechanism failure (i.e. what 
management did not do to prevent or rectify the error). The preventive mechanisms are 
described below. 


Hazard study (of design or as-built) 
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Hazard studies of design, such as HAZard and OPerability studies (HAZOP), should 
identify and determine design errors and potential operational or maintenance errors to 
the extent they fall within the scope of the review. Some underlying causes of failure 
will be recoverable at the as-built stage such as certain layout aspects or wrong 
locations of equipment. Hazard study covers: 


e inadequacies or failures in conducting an appropriate hazard study of design; 
* failure to follow-up recommendations of the HAZOP or other hazard study. 


Human Factors review 


This category specifically refers to cases of failure to recover those underlying causes 
of unsafe conditions which resulted in human errors within the operator or maintainer - 
hardware system, including interfaces and procedures. These errors are of the type that 
can be addressed with a Human Factors oriented review. The unrecovered errors will 
be information processing or action errors in the following categories: 


* failure to follow procedures due to poor procedural design, poor communication, 
lack of detail in PTW, inadequate resources, inadequate training, etc.; 


* recognition failures due to inadequate plant or equipment identification, or lack of 
training, etc.; 


e inability or difficulty in carrying out actions due to poor location or design of 
controls. 


Task Checking 


Checks, inspections and tests after tasks that have been completed should identify 
errors such as installing equipment at the wrong location or failure to check that a 
system has been properly isolated as part of maintenance. 


Routine Checking 


The above are all routine activities in the sense that they are part of a vigilance system 
on regular look-out for recoverable unsafe conditions in plant / process. These 
activities may be similar to the task checking category activities but they are not task 
driven. This category also includes failure to follow-up, given identification of an unsafe 
condition as part of routine testing or inspection. Evidence for events that would be 
included in this category would be: 


* equipment in a state of disrepair; 
* inadequate routine inspection and testing 


The distribution of failures is shown in Table 2.4 and Table 2.5, and graphically in Figure 
2.1. Human Factors aspects of maintenance and normal operations account for around 
30% of LOC incidents (a similar proportion could have been prevented by a hazard 
study of the design (by HAZOP, QRA etc.). 


A study of 402 North Sea offshore industry release incidents, from a single operator, 
indicates results consistent with those obtained for the onshore plant pipework study 
[20]. 
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Figure 2.1 Contributions to Pipework Failures According to Underlying 
Causes and Preventive Mechanisms [19] 
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Table 2.4 Distribution of direct causes of pipework and vessel failures 


[18],[19][18] 

Cause Of Failure % Of Known Causes 

Pipework Vessels 
Overpressure 20.5 45.2 
Operator Error (direct) 30.9 24.5 
Corrosion 15.6 6.3 
Temperature 6.4 11.2 
Impact 8.1 5.6 
External Loading 5.0 2.6 
Wrong Equipment/Location 6.7 1.9 
Vibration 2.5 0 
Erosion 1.3 0.2 
Other 2.5 2.6 


Table 2.5 Percentage Contribution of underlying causes to pipework (P) 
(n2492) and vessel (V) failures (n=193) 
(all unknown origins and unknown recovery failures removed) [19][18] 


RECOVERY NOT HAZARDS HUMAN TASK ROUTINE TOTAL 


MECHANISM | RECOVER STUDY FACTORS | CHECKIN | CHECKIN 


ABLE G G 
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Origin P V P V P V P V P V P V 
Natural 1.8 0.5 0 0 0 0 0.2 0 0 0 2 0.5 
causes 
Design 0 0 25 29 2 0 0 0 0.2 0.5 27.2 | 29.5 
Manufacture 0 0 0 0 0 0 2.5 |0 0 0 2.5 |0 
Construction 0.1 0 0.2 0.3 2 0 7.6 1.8 0.2 0 10.1 | 2.1 
Operations 0 0 0.1 5.4 11.3 | 24.5 1.6 2.1 0.2 0 13.2 | 32 
Maintenance 0 0 0.4 2.1 14.8 | 5.7 13 3.6 10.5 | 10.8 | 38.7 | 22.2 
Sabotage 1.2 1 0 0 0 0 0 0 0 0 1.2 1.0 
Domino 4.6 11.9 0.2 | 0.3 0 0 0 0 0.3 0.5 5.1 12.7 
Total 7.7 13.4 | 25.9 | 37.1 30.1 | 30.2 | 24.9 | 7.5 11.4 | 11.8 100 | 100 


The key areas already mentioned for the control of loss of containment incidents, can 
be listed as follows (in order of importance for preventing pipework failures): 


* Hazard review of design 


* Human Factors review of maintenance activities 


* Supervision and checking of maintenance tasks 


* Routine inspection and testing for maintenance 


* Human Factors review of operations 


* Supervision and checking of construction/installation work 


* Hazard review (audit) of operations 


* Supervision and checking of operations 


Swain and Guttman [21] have identified a global set of action errors which are 
developed in numerous sources on error identification. The following list from [22] can 


be used: 


* Error of omission: omission of required behaviour 


* Error of commission: operation performed incorrectly (e.g. too much, too little), 
wrong action, action out of sequence. 


* Action not in time: failure to complete an action in time or performing it too late/too 


early. 


* Extraneous act: performing an action when there is no task demand. 


* Error recovery failure: many errors can be recovered before they have a significant 
consequence; failure to do this can itself be an error. 


2.6.2.2 The Probability of the Error Occurring 


Table 2.6 shows the results of research carried out to determine the split on causes of 
LOC between the human and equipment failure. 


Table 2.6 Split of causes for LOCs in differing industries 


SOURCE DOMAIN 


% CAUSED BY 
HUMAN 


% CAUSED BY 
EQUIP 


REFERENCE 
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Generic LOC 40 60 [23] 
Crane Accidents 55 45 [241,[25],[26],[27][28] 
Chemical Process | 60-90 40-10 [28] 
Petrochemical 50 50 [28] 


Furthermore, in a study of 402 offshore LOC incidents, 47% originated in maintenance, 
30% originated in design, 15% in operations, and 8% in construction. Of the 
maintenance failures, 65% were due to errors in performing maintenance and 35% 
failure to carry out the required activity. 


The data which identify the relative contribution of human and hardware failures are 
useful for benchmarking in fault tree analysis. This serves as a comparison about 
whether the analysis is giving results consistent with the historical data, which is 
particularly important when human failure probabilities in fault trees are derived 
primarily from expert judgement. 


2.6.2.2.1 Example Human Error Rates 


A simple guide to generic human error rates is contained in Table 2.7. 


Table 2.7 Example Generic Human Error Rates [29] 


Error | Type of behaviour Nominal human error 
type probability (per 
demand) 
1 Extraordinary errors of the type difficult to conceive how | 10? 
they could occur: stress free, powerful cues initiating for 
success. 
2 Error in regularly performed commonplace simple tasks | 10* 
with minimum stress. 
3 Errors of commission such as operating the wrong but- 10? 


ton or reading the wrong display. More complex task, 
less time available, some cues necessary. 

4 Errors of omission where dependence is placed on situ- | 10” 
ation cues and memory. Complex, unfamiliar task with 
little feedback and some distractions. 


5 Highly complex task, considerable stress, little time to 10" 
perform it. 
6 Process involving creative thinking, unfamiliar complex | 10" to 1 


operation where time is short, stress is high. 
Note: Table 2.3 also contains some generic human error probabilities from a different source 


2.6.2.2.2 Performance Shaping Factors 


Although a great deal is known about the effects of different conditions on human 
performance, their quantification in terms of the extent to which error likelihood is 
affected is poorly researched. Human Reliability Assessment techniques often provide 
a database of the effects of PSFs, and these are generally based on judgement. The 
PSFs with the biggest influence, such as high stress or lack of training, are broadly 
estimated to result in an order of magnitude increase in error likelihood. Other effects 
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relate to performance over time such as a decrease in the ability to remain vigilant over 
long periods and hence detect changes in the environment. 


Some data on the factors influencing the performance of an individual when carrying 
out a task are shown in Table 2.8. 


Table 2.8 Multipliers for Performance Shaping Factors [30],[31] (Maximum 
predicted value by which unreliability might change going from "good" 
conditions to "bad") 


Error-Producing condition Multiplier 
Unfamiliarity with a situation which is potentially important but which only 17 
occurs infrequently or which is novel. 

A shortage of time available for error detection and correction. 11 
A low signal-noise ratio. 10 
A means of suppressing or over-riding information or features which is too 9 
easily accessible. 

No means of conveying spatial and functional information to operators in a 8 
form which they can readily assimilate. 

A mismatch between an operator's model of the world and that imagined by a 8 
designer. 

No obvious means of reversing an unintended action. 8 
A channel capacity overload particularly one caused by simultaneous 6 
presentation of non-redundant information. 

A need to unlearn a technique and apply one which requires the application of 6 
an opposing philosophy. 

The need to transfer specific knowledge from task to task without loss. 5.5 
Ambiguity in the required performance standards. 5 
A mismatch between perceived and real risk. 4 
Poor, ambiguous or ill-matched system feedback. 4 
No clear direct and timely confirmation of an intended action from the portion 4 
of the systems over which control is to be exerted. 

Operator inexperience (e.g. newly-qualified tradesman vs. "expert"). 3 
An impoverished quality of information conveyed by procedures and 3 
person/person interaction. 

Little or no independent checking or testing of output 3 
A conflict between immediate and long-term objectives. 2.5 
No diversity of information input for veracity checks. 2.5 
A mismatch between the educational achievement level of an individual and 2 
the requirements of the task. 

An incentive to use more dangerous procedures. 2 
Little opportunity to exercise mind and body outside the immediate confines 1.8 
of a job. 

Unreliable instrumentation (enough that it is noticed). 1.6 
A need for absolute judgements which are beyond the capabilities or 1.6 
experience of an operator. 

Unclear allocation of function and responsibility. 1.6 
No obvious way to keep track of progress during an activity. 1.4 
A danger that finite physical capabilities will be exceeded. 1.4 
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Error-Producing condition Multiplier 
Little or no intrinsic meaning in a task. 1.4 
High-level emotional stress 1.3 
Evidence of ill-health amongst operatives, especially fever. 1.2 
Low workforce morale. 1.2 
Inconsistency in meaning of displays and procedures. 1.2 
A poor or hostile environment (below 75% of health or life-threatening 1.15 
severity). 
Prolonged inactivity or high repetitious cycling of low mental workload tasks 1.1 for 1* 
half-hour, 
1.05 for 
each hour 
thereafter 
Disruption of normal work-sleep cycles. 1.1 
Task Pacing caused by the intervention of others. 1.06 
Additional team members over and above those necessary to perform task 1.03 
normally and satisfactorily. Multiply per man 
Age of personnel performing perceptual task. 1.02 


This is a mature and commonly used approach. |t is relatively simple to follow and 
there are a large number of generic data sources for HEPs. However, it is very 
dependent upon the skill of the analyst in identifying opportunities for error. It usually 
requires at least a two person specialist team, one for the equipment and one for the 
human reliability identification, with some mutual understanding of the operation of the 
human-technical system. 


2.6.2.3 Overall result 


Operator error is incorporated through identification of opportunities for error which 
could lead to the initiation of an accident. The opportunities for error could include: 


* directly causing an initiating event (e.g. leaving a valve open and starting a pump) 


* failing to recover (identify and correct) a mechanical failure or operator error which 
directly or indirectly could cause an initiating event (e.g. failure to identify a stuck 
valve, fail to check procedure completed) 


* indirectly causing an initiating event (e.g. a calculation error, installing the wrong 
piece of equipment) 


Figure 2.2 shows the overall structure of incorporating human error into FTA 


OR 


AND 
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Figure 2.2 Overall Structure of Incorporating Human Error into FTA 


To quantify this event so that the probability of the event occurring can be established, 
the human error scores or the probability values, along with the performance shaping 
factors need to be added to the stages within the FTA. These scores, when combined 
together will give a overall likelihood of the event occurring. 


Note that the term "operator error" is frequently used to cover all cases of front line 
human error such as in maintenance, operations, task supervision, and start-stop 
decisions. When identifying opportunities for error, it is usual to express each error as 
an external (observable) mode of failure, such as an action error (E.g. doing something 
incorrectly). This is preferable to using internal modes of failure (E.g. short term 
memory failure). 


There is a tendency to overestimate human error probabilities relative to the hardware 
failure estimates. One reason is that human error recovery mechanisms are often 
forgotten. For example, a maintenance error could be recovered by checking by the 
supervisor. This means that in FTA, many human errors should have an AND gate with 
error recovery failure. The latter would be 1 if there is no opportunity for error recovery. 
For a well designed error management system, the practice is to use an error recovery 
failure probability of 107. 


The data provide a statistical model which has been used as a basis for factoring 
Generic LOC data using a Modification of Risk Factor derived from an assessment of 
the quality of Safety Management. The modification factor for generic failure rates 
ranges between 0.1 and 100 for good and poor management respectively [32], but more 
typically between 0.5 and 10 in practice. 


2.6.3 Techniques 


To complete this task of predicting LOC the following techniques could be used as a set 
or individually: 


e Hierarchical Task Analysis 
* Human Error Assessment and Reduction Technique 


* Fault Tree Analysis 
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And supported by: 


e HAZIDs 
e HAZOPs 
e  OSHAs 


2.7 Human Factors in the determination of event outcomes 
2.7.1 Rationale 


Event outcome modelling is normally concerned with mitigation and escalation of an 
initiating event. The outcome of events can be dependent on operator intervention, 
either because the operator is required to perform a primary role, or because the 
operator must rectify failures of automatic systems, e.g. if an automatic system fails or 
an operator is aware of the event prior to automatic detection. 


There are two approaches to event modelling. The first focuses purely on the activities, 
errors or lapses that need to occur for the top event to occur. The second adds the 
element of time into the equation so that scenarios where the outcome is affected by 
response or reaction time can still be accurately modelled. 


2.7.2 Stages 


Before the event tree can be established, the initiating event and the tasks below that 
need to be established. In addition, three human factor issues need to be considered as 
part of the event tree. These are:- 


* Human detection and recognition of the incident 
e Operator activation of an emergency system 
e Operator application of a specific procedure 
Furthermore, factors that could affect these are: 


e reliability of an operator recognising an emergency situation (clarity of the alerting 
signal and subsequent information) 


* familiarity with the task 
e increased stress due to perceived threat 
Each of these factors are applicable to both the time related ETA and the non-time ETA. 


2.7.2.1 Establishing the top level event 
The initiating event can be established from a number of sources. These include:- 


e Practical experience — if the analysis is being carried out on a currently operating 
system 


e HAZID, HAZOP or OSHA - where expert judgement is used to define the critical 
events 


e Task Analysis — where the primary tasks and outcomes can be established. 
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2.7.2.2 Event Tree Analysis 


Once the initiating event has been established the event tree can be built around it. The 
event tree is constructed by working thorough each of the possible actions that occur 
after the initiating event to determine the likelihood of each outcome. Quantification can 
be applied to the likelihood of an event occurring. The figures for this can come from a 
number of sources including Fault Tree Analysis, Human Error Analysis, expert opinion 
and user judgement. These figures are then multiplied together to give a likelihood 
score for that end event occurring. The example in Figure 2.3 shows the consequences 
of a rupture or leak in an unloading hose at a chemical plant. The contribution of the 
human to the event tree could be added as an extra branch along the top of the tree. 


Figure 2.3 An example of an event tree 


Release Rupture OperatorRemote Check Manual 
orLeak absent valve valve valve 

fails to fails to not 

close re- closed 


0.45 seat 


5.8 x 105 Rupture, not isolated 
1.4 x 105 Rupture, not isolated 
12 x 105 Backflowrupt (30 min) 
5.1x 106 Backflowrupt (1 min) 
3.9 x 10° No event 

1.4 x 104 Leak, not isolated 

3.3 x 10° Leak, not isolated 

1.6 x 10° Backflow leak (30 min) 
2.4 x 105 Backflow leak (1 min) 
9.3x 10° No event 


Success 
Total leak, not isolated = 1.7 x 10 per year 
Total rupture, not isolated = 7.2 x 16 per year 


2.7.2.3 Simulating Human Contribution to Event Mitigation 


This process differs from the first approach to event tree modelling by quantifying the 
time taken to carry out that task. Therefore, a Task Analysis needs to be carried out to 
define the steps taken during the event. To each of these tasks a time needs to be 
allocated. These times can established either by observation of the task during trial 
operational or during training runs. The captured times need to include reaction and 
response times to actions as well as the time taken to actually perform the task. This 
additional information can then be applied to the model to provide a time based 
response to the top event. An example of the time allocation can be seen in Table 2.9. 


Table 2.9 Example times per task 


Task Time taken 
Recognise the incident 70 seconds 
Request sufficient power to be available to operate the winches 10 seconds 
Determine the direction to move the installation 20 seconds 


©OGP 


RADD - Human factors in QRA 


Operate the winches so as to slacken and reel in opposing winches 30 seconds 
Recognise the failure to request sufficient power 30 seconds 
Recognise that the wrong direction has been selected 120 seconds 
Recognise that the winches have been operated in the wrong 80 seconds 
combination 


2.7.2.4 Modifiers 


As with all Human Factors and human performance issues, the ability to carry out tasks 
can be altered by the environment in which they occur. These are called modifiers and 
can affect time to complete the task, the procedure selected and the likelihood of an 
error occurring. Example modifiers are: 


The clarity of the signal. If the signal is clear, highly attention gaining, and very 
difficult to confuse with any other type of signal (including a false alarm) and the 
required action by an operator is do nothing more than acknowledge it, the 


likelihood of an operator error is small (in the region of 10 to 10 per demand). 
Increasing the complexity of warning signals, therefore requiring the operator to 
interpret a pattern of signals, raises the likelihood of error. The effect of a "low 
signal to noise ratio" (i.e. signal masked by competing signals, or of low strength in 
terms of perceptibility) can increase the likelihood of misdiagnosis by up to a factor 
of 10. 


False alarm frequency. Data on human behaviour in fires in buildings shows that 
80% to 90% of people assume a fire alarm to be false in the first instance (see 
Section 2.8.2.2.2). 


Operator familiarity with the task. Due to the low probability of emergency 
events operators can have little familiarity with the tasks that they have to perform. 
This results in an increased likelihood of error. Table 2.10 below shows the human 
error probabilities (HEP) for rule based actions by control room personnel after 
diagnosis of an abnormal event [21]. 


Table 2.10 The human error probabilities (HEP) for rule based actions by 


control room personnel after diagnosis of an abnormal event 


Potential Errors Human Error 
error factor 
probability 


Failure to perform rule-based actions correctly when written procedures are 
available and used: 


Errors per critical step with recovery factors 0.05 10 


Errors per critical step without recovery factors 0.25 10 


Failure to perform rule-based actions correctly when written procedures are not 
available or used: 


Errors per critical step with or without recovery factors 1.0 - 


Stress can also effect how a person reacts and has been shown to increase the 
likelihood of error. Example modifiers are provided in Table 2.11. 
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Table 2.11 Example of Modifiers when Calculating Event Tree Probabilities 


Stress Level Modifiers (Multipliers) of Nominal 
HEPs 
Skilled Novice 
Very low (Very low task load) 2 2 
Optimum (Optimum task load): 
Step-by-step task 1 1 
Dynamic task 1 2 
Moderately high (Heavy task load): 
Step-by-step task 2 4 
Dynamic task 5 10 
Extremely High (Threat stress): 
Step-by-step task 5 10 
Diagnosis task Error probability = 0.25 Error probability = 0.5 
(EF = 5) (EF = 5) 


Furthermore, where an operator is to perform a number of tasks as part of a predefined 
procedure the analyst must decide whether to apply the modifier to some or all of the 
errors which may be made in following the procedure. It can be argued that the modifier 
should be applied once (i.e. to the procedure as a whole) rather than to each error, since 
the tasks are inherently linked by the procedure rather than being independent actions 


2.7.3 Techniques 


For this process there is not one recommended technique. However the use of 
Hierarchical Task Analysis, HEART, THERP and APJ together will help input to the event 
tree itself. 


2.8 Human Factors in the assessment of fatalities during escape and 
sheltering 


2.8.4 Rationale 


This section deals with the Human Factors issues which have a significant bearing on 
the safety of personnel during escape and sheltering. Methods and data are presented 
for assessing the likelihood of fatalities as events progress. 


The term "escape" is considered to cover the movement of personnel from their initial 
location (at the time of the event) to a place of safety. The term "sheltering" is 
considered to cover the time spent by personnel within the place of safety. In the UK 
offshore regulations, this place of safety is termed the Temporary Refuge (TR) or Place 
of Safety (POS). For onshore installations these can include muster points. 


Fatalities during escape and sheltering can be divided into three sub-categories, e.g.: 


* immediate fatalities - personnel who are in close proximity in the initial stages of the 
event 


* escape fatalities - personnel who are not initially in close proximity but become 
exposed to the event as they attempt to reach a temporary refuge or place of safety. 
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* sheltering fatalities - personnel who are exposed to a hazard while sheltering in the 
temporary refuge or place of safety. 


In estimating fatalities, assessment of the likelihood of personnel being exposed to the 
hazard and the effect of exposure are required. 


For hydrocarbon releases the hazards of concern are thermal radiation, explosion 
overpressure or toxic gas/smoke inhalation and narcotic effects of hydrocarbon 
inhalation, for which the methods of assessing the effect of exposure can include the 
use of tolerability thresholds or Probit equations (see Human Vulnerability datasheet). 


The estimation of the likelihood of personnel being exposed to a hazard during the 
escape and sheltering phases involves both event consequence modelling (e.g. fire 
propagation, temporary refuge impairment etc.) and human behaviour modelling. In an 
offshore situation the behaviours of interest include: 


* time taken to initiate escape 

e speed of movement to the temporary refuge 

* choice of route so as to minimise exposure 

* choice of route based on perception of the hazard 
* use of protective equipment. 


Statistics for a QRA must be derived by interpreting data taken from a number of 
sources. Particular factors to be taken into account in deriving the statistics are: 


* the reliability of response to alarms and the effect of false alarm frequency on 
response behaviour; 


* characteristic behaviour patterns in life threatening situations 


* changes in behaviour when exposed to a hazard (e.g. 2 operators died on the Brent 
Bravo platform 2003 after they were exposed to light hydrocarbon which dulled their 
senses and prevented rational decision making) 


2.8.2 Stages 


There are 3 key stages that need to be gone through in order to predict the number of 
fatalities associated with escape and sheltering. These are:- 


* Define the variables (including the Human Factors variables) 
e Quantify those variables 


e Model the variables 


2.8.2.1 Defining the variables 


The following list states some of the variables that could be manipulated to determine 
the number of fatalities associated with these events: 


* Number of people escaping 

e The route they take 

e Person reaction (time to respond and type of response) 

* Where the incident occurred in relation to the temporary refuge / place of safety 
e The temporary refuge (size, location, purpose) 
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* Availability of Personal Protective Equipment / Personal Survival Equipment 
* Training of the escapees in use of PPE and emergency procedures 


e Degradation of human performance under the event conditions (stress, exposure to 
toxic substances, smoke etc) 


* Effect of other persons behaviour (team leader, following the person in front etc ) 
e Time of day 

* Environmental conditions 

* A person's previous experiences 


This list is not exhaustive and there may be some site specific variables that could be 
added. 


2.8.2.2 Quantification of the variables 


The data within this section can be used to quantify some of the variables above during 
the modelling process. 


2.8.2.2.1 Varying the location of the event and the escapee 


In analysing, the analyst cannot expect to find universally applicable historical data with 
which to assess escape performance as this is location specific. For example, in regard 
to the question of how likely it is that personnel will be in the vicinity of an event, the 
analyst should consider the types of activities which take place on the installation. A 
review should consider whether the alarm could be masked by other noises, and the 
procedures followed to investigate an alarm, which may involve an operator being sent 
to inspect the area. 


Using the layout of the installation and details of the incident (such as availability of 
escape ways, level of hazard) software tools can be used to assist in certain aspects of 
escape evaluation. Most commonly they are used in the calculation of the time taken for 
personnel to reach predefined points of safety. The approaches used by the models 
differ and the scope for using them to estimate escape fatalities varies. Models which 
may be suitable for applying to offshore installations include: EGRESS, MUSTER, 
EVACNET+, SPECS, EXIT89. 


A simple method for estimating the likelihood of personnel becoming exposed to a 
hazard is to model the structure as a 3-D grid of cells and then consider, for an event in 
a specific area, the likelihood of personnel entering the incident area as they make their 
way to a TR/POS (see Figure 2.4). 
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Figure 2.4 Plan view of a simple bridge-linked platform, demonstrat 
method of estimating exposure probabilities 


Probability of person who starts 
from this area entering the incident area 
while travelling to the TR 


v 
os 0.25 O.1 
Incident 
os area 0.0 o-o 
Bridge Link 


o-5 0.1 0.05 
Temporary 
Production Platform Refuge 


In estimating the probability associated with each starting point, not only the routing of 
the walkways can be taken into account but some Human Factors issues can be 
accommodated in the analysis: 


* the detectability of the event (i.e. personnel are more likely to see an ignited release 
than an unignited one and re-route accordingly). Events could be grouped together 
into categories and a different version of the grid produced for each category. 
Detectability can be enhanced indirectly by informative announcements over the PA 
system, therefore relevant procedures can be considered in the analysis. 


e Preferences for certain walkways/routes. Bias could be introduced into the 
probability figures based on the routes used by personnel, including short-cuts that 
may have become the norm. 


The number of behavioural aspects which have a bearing on escape performance is 
large, and for many, data are limited or from a different field of activity. Therefore an 
analyst who wishes to reflect a particular working method within the assessment, such 
as Buddy-Buddy working, will not have a specific database of statistical evidence with 
which to work. This does not imply that the analysis cannot reflect such issues, but it 
does imply that doing so requires some insight into the behavioural implications. 


Validating a theoretical analysis of escape performance, whether it be performed with 
the assistance of a software tool or not, is clearly problematic. Observing the time it 
takes personnel to move around the installation and perform relevant tasks is a starting 
point. In order to compare these data to the predictions of a model, due account must 
be taken of the effects of emergency circumstances on the personnel and the platform 
is needed. An approach to validating predictions of escape performance is proposed in 
[33]. 


2.8.2.2.2 Reliability and time to respond to alarms (e.g. time to initiate escape to a TR/POS) 


The reliability of response to alarms is a key issue in the assessment of mustering 
performance. A large amount of data has been collected with regard to the factors 
which affect behaviour following an alarm signal. The findings indicate that the two 
dominant factors are: 


* previous experience of alarms (false alarms) 


©OGP 


RADD - Human factors in QRA 


* confirmatory signals (such as smoke, fire, noise) 


Data from building evacuations, where a high proportion of fire alarm signals are false, 
indicate that a significant proportion of people are likely to seek confirmation before 
commencing escape. 


Further data to enable the factors affecting false alarm rate and response behaviour to 
be identified are not available. It is expected that in the offshore environment the 
proportion of personnel seeking confirmation before commencing escape would be less 
than suggested by the data in Table 2.12 because of training and an awareness of the 
potential danger. 


Table 2.12 Data on response to alarms 


Issue 


Context 


Finding 


Interpretation 


Fire drill in a building 


17% assumed it to be a genuine alarm (sample of 176) 


of alarm (without warning) false alarm - 8396 

Interpretation Fire drill in a building 14% assumed it to be a genuine alarm 

of alarm (without warning) 

Interpretation Fire drill in a building 14% assumed it to be a genuine alarm (sample of 96) 

of alarm (without warning) 

Confirmation Actual fires in 9% (2 of 22) believed there was a fire before seeing flames 
of hazard buildings 77% (17 of 22) required visual and other cues 

Time to Research into normal 10% chose to evacuate after 35 seconds 


respond to an 
alarm 


alarms 


Investigation 


Domestic fires 


41 people performed 76 investigative acts 


of the alarm 

Tackling the Domestic fires 50% (268 out or 541) attempted to fight the fire 
hazard 

Tackling the Multiple occupancy 9% (9 out of 96) attempted to fight the fire 
hazard fires 

Use of fire Domestic fires Of 268 who knew of the nearby- location of an 


extinguisher 


extinguisher, 50% tackled the fire but only 23% used the 
extinguisher 


Assisting 
others 


Multiple occupancy 
fires 


25 acts of giving assistance (total of 96 people) 


2.8.2.2.3 Speed of movement of personnel 


Data on speed of movement is relatively plentiful, and studies to assess degradation 
due to exposure to hazards have been performed. Table 2.13 summarises some 
relevant data. 


Table 2.13 Data on the speed of movement 


Issue Context Finding 
Density of people Unhindered Average speed of 1.4m/s 
walking 
Density of people Movement in 0.05 m/s in density of 0.5m’ per person 
congested 
area 
Effect of smoke on Evacuation 40% reduction (from normal walking speed) 
speed of evacuation | from buildings 
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Evacuation 
from buildings 


Effect of lighting 
level on speed of 
evacuation 
Effect of lighting 
level on speed of 
evacuation 
Effect of lighting 
level on speed of 
evacuation 


Age of person 


1096 reduction in speed (from normal walking speed) 
with emergency lighting of 0.2 lux 


Evacuation 
from buildings 


1096 reduction in speed (from normal walking speed) 
if fluorescent strips, arrows and signs are used in 
pitch black surrounding 


50% reduction in speed (from normal walking speed) 
in complete darkness 


Evacuation 
from buildings 


Unhindered 
walking 


From the age of 19 onwards, decrease in speed of 1- 
2% per decade (average 16% reduction by age of 63) 


The above table is for uninjured personnel. Although data is not available for personnel 
with damaged limbs, a reduction in speed is expected. The relationship between 
incapacitation and burns is complicated as burn injuries have a progressive effect. Stoll 
and Greene [34] show that for second or third degree burns over 100% of body area, the 
percentage incapacitation is less than 10% within the first 5 minutes, rising to 50% after 
a few hours and reaching 100% in a day or so. 


2.8.2.2.4 Choice of route 


The choice of escape route contributes to the likelihood of a person being exposed to 
the hazard while making their way to the TR/POS. 


Two specific aspects of human behaviour which have been identified through review of 
evacuations and are relevant to assessing the likelihood of route choice are: 


* familiarity of personnel with the routes (i.e. seldom used emergency routes versus 
normal routes); 


e obstacles or hazards on the route (in particular the presence of smoke along the 
route). 


The data in Table 2.14 suggest a strong tendency for personnel to use routes with which 
they have the greatest familiarity. 


It is worth noting that it is common for personnel to become accustomed to using 
routes which were not intended to be normal access routes (i.e. creating shortcuts). 
Such an occurrence can invalidate the assumptions in a safety study. 

Table 2.14 Human Behaviour Data on Choice of Evacuation Routes 


Issue Context Finding Ref. 
Familiarity with exits Hotel fire 51% departed through normal [35] 
entrance 
49% departed through fire exit 
Familiarity with exits General evacuations 18% went to known exit without [36] 
looking for another (sample size 50) 
Familiarity with exits Evacuation drill in a 70% left through normal entrance [35] 
lecture theatre 30% left through the fire exit 
Moving through General evacuations | Choice of exit is more influenced by [37] 
smoke familiarity with the route than amount 
of smoke 
Moving through General evacuations | 60% attempted to move through [38] 
smoke smoke (50% of these moving 10 yards 
or more) 
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2.8.2.2.5 Performance in the use of Personal Protective Equipment (PPE) or 
Personal Survival Equipment (PSE) - reliability of success in using 
PPE/PSE and time to use PPE/PSE 


In an emergency situation the PPE required to give additional protection can be 
relatively complex equipment such as smoke hoods or self contained breathing 
apparatus. 


In terms of risk assessment, failures or delays in the use of the necessary PPE/PSE can 
increase the likelihood of fatalities. Therefore, an estimate of the percentage of the 
population who can use PPE/PSE correctly and the likely time taken are relevant. 


The findings of a study of the reliability of use of re-generative breathing apparatus are 
presented in Table 2.15. The study involved visiting mines and asking miners, without 
warning, to put on their apparatus. The authors used a five point rating scale instead of 
simple pass or fail categories as they recognised that users may be able to rectify their 
mistakes, either by themselves or with the assistance of their colleagues. However, the 
category "failing" implies that a user would have very little chance of ever protecting 
themselves with the equipment. 


Table 2.15 Performance in using re-generative breathing apparatus, 
measured at four mines 


Donning Proficiency Profiles at each Mine (96 of personnel) 
Skill Level Mine A Mine B Mine C Mine D 
Failing 6.3 18.2 40.0 6.9 
Poor 50 27.3 40.0 6.9 
Marginal 15.6 15.2 6.7 6.9 
Adequate 15.6 33.3 10.0 44.8 
Perfect 12.5 6.0 3.3 34.5 


The results of the study show that performance in the use of PPE can be poor. The 
authors suggested that training was a dominant contributor to the differences between 
the four mines. However, they did not provide details of the training regimes and 
therefore insights into the relative importance of induction training or frequency of drills 
cannot be gained. 


Data on the time to use breathing apparatus is not available. The findings above 
suggest that there can be significant differences between personnel who are very 
familiar and experienced with the equipment, from those who are not. 


2.8.2.2.6 Allowing for degradation in human performance due to toxic or thermal 
exposure 


The data given in Table 2.15 takes no account of exposure to a hazard. It can be 
expected that exposure to a hazard could significantly degrade human performance. 
Choice of route, ability to put on a smoke hood, and capability to use an escape system 
are examples of behaviour which could be impaired by exposure to a hazard. 


In reviewing the data and considering the degree to which performance could be 
degraded it is necessary to consider indirect factors such as cognitive performance 
degradation, sensory performance degradation, and physical performance degradation 
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(e.g. dexterity and co-ordination) when attempting to assess the effect on performance. 
The greater the detriment to these performance parameters, the more likely will errors 
be made and the time to perform tasks will increase. 


There is limited data on the direct effect of exposure to hazards on human performance 
and this is predominantly at concentrations below those possible in incidents. Table 
2.16 has data on the effect of smoke inhalation. 


Table 2.16 Data on the effect of exposure to smoke on cognitive abilities 


Issue Context Finding 
Cognitive Effect of exposure to smoke 100% accuracy at 0.1 Itr/min 
abilities on simple arithmetic tasks 58% accuracy at 1.2 Itr/min 


Referring to the data on the effects of Hydrogen Sulphide (see Human Vulnerability 
datasheet) it is clear that a person's ability to see will be impaired, and it is possible that 
cognitive abilities will be hampered as exposure increases. It is these types of 
inferences which are necessary in assessing the effect of exposure on escape 
performance and with due regard to PPE requirements. 


A viable approach is to assume that a fraction of the lethal concentration is sufficient to 
disrupt cognitive abilities. A common choice is to use 15% of the LC59 value as a 


threshold where the rate of decision errors is significantly increased. 


2.9 Human Factors in the assessment of fatalities during evacuation, rescue 
and recovery 


2.9.1 Rationale 


To evaluate the number of fatalities during evacuation, rescue and recovery, the person 
and the environment in which the evacuation and rescue are being made should be 
considered along with the equipment to be used and its location. This section will focus 
on the Human Factors issues that should be considered as part of the QRA, however 
during the QRA both the effect of the equipment and the HF issues mentioned should be 
considered in unison. 


2.9.2 Stages 
2.9.2.1 Scenario definition 


Before this analysis can be run the scenario and variables that are to be modelled or 
considered need to be determined. For example, the following should be considered: 


* Number of people evacuating 

* Physical characteristics (size and strength / Anthropometry) of those people 
e Layout of the facility to be evacuated 

* Route to be taken 

* Equipment to be used during the evacuation and rescue 


* Environmental conditions 
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* Type of event that has caused the escape and rescue. Specifically, the warning time 
about the event, whether this event will cause confusion about the best form of 
evacuation and rescue. 


* Familiarity of the personnel to the evacuation and rescue procedures 
* The history of the facility (number of false alarms, personal reaction to alarms) 


This list is not exhaustive and there may be some additional site specific considerations 
that need to be reviewed. 


2.9.2.2 Task Analysis 


Once the scenario for modelling has been defined, the detailed tasks to be carried out 
need to be established so that the time duration and error analysis can be undertaken. 
The most widely used method is called 'Hierarchical Task Analysis' or HTA. This 
produces a numbered hierarchy of tasks and sub-tasks, usually represented in a tree 
diagram format, but may also be represented in a tabular format. It will be necessary to 
decide the level of resolution or detail required. In some cases, button presses, 
keystrokes etc may need to be described, in other cases, description may be at the task 
level. An operator may need to be involved in the study. Once the HTA is complete, each 
stage can be reviewed to establish what the human limitations are so that they can be 
considered within the analysis. 


2.9.2.3 Issue Identification 


Below is a summary of the potentially limiting factors that should be considered. 


Anthropometry 


* A person's size and shape will have an effect on their ability to fit through escape 
hatches and other confined spaces. 


* The size of the individuals will effect the number of people who can fit into and move 
around an escape craft. 


Physiological 


e The variations in the human ability to withstand the accelerations associated with 
escape (e.g. deploying a life raft) need to be considered. 


e The variation in the human body's ability to survive at sea (cold adaptation, level of 
training and survival skills etc) 


e The range of strength when comparing individuals. This could affect a person's 
ability to open doors or hatches etc. 


Psychological 


The requirement for an evacuation implies that there is a significant risk to life. 
Consequently the behaviour of personnel will be greatly affected by the stress of the 
situation such that: 


* the choice of actions is unlikely to be systematically thought through or weighed-up 
against all others 
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e over-hasty decisions may be made based on incomplete and insufficient information 


e personnel will begin “running on automatic". There will be a reduction in the 
intellectual level, with personnel resorting to familiar actions 


e personnel will focus on the immediate task at hand to the exclusion of others and 
their ability to take on board new information will be reduced 


e personnel may exhibit rigidity in problem solving, e.g. concentrating on one solution 
even though it does not work 


e performance on seemingly simple tasks will be greatly affected. Tasks requiring 
manual dexterity will be very much more difficult and require more time to complete 
than in normal circumstances 


Other 


e The clothing and the kit that the person is wearing / carrying will affect the likelihood 
of a person surviving an evacuation and rescue. 


e Location of the survival equipment, and the accessibility of it will affect how its 
used. 


These points are pertinent to the performance of the person in overall charge, referred 
to here as the Offshore Installation Manager (OIM). As the person with the role of 
evaluating the incident and choosing if, how and when to evacuate, the decisions of the 
OIM can influence the outcome. 


The OIM could evaluate the conditions on the installation correctly and order an 
evacuation at the most opportune moment. The OIM will have been trained in these sort 
of events on training simulators. However, the OIM could also: 


e delay the evacuation, or fail to give the command to evacuate incurring greater 
fatalities than necessary 


* give the order to evacuate when there is no need to do so and therefore expose the 
personnel to unnecessary risks 


* choose the wrong mode of evacuation. 


The OIM needs to have decision criteria with which to judge the situation in order to 
choose a strategy. Ambiguity in the criteria and uncertainty or inaccuracies in the 
information available introduce the chance of a non-optimum strategy being selected. 
In addition, the stress of the situation may affect the behaviour of the OIM, and exposure 
to smoke or other toxic substances can affect his cognitive performance (see Human 
Vulnerability datasheet), adding weight to the argument that the OIM will not always 
choose the optimum strategy. Furthermore, the OIM's training and personal experiences 
will affect this decision criteria and this aspect is virtually unquantifiable but yet needs 
to be considered. 


2.9.2.4 Quantification 
Quantification within this process comes in a number of forms, these could be: 


* The time taken to complete an activity can be established by either running user 
trials or by witnessing training events. The timings taken from these events should 
be considered against the environment in which they were taken and then compared 
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to the environment in which they will finally be carried out. It is likely that the final 
environment is a stressful one which may alter the recorded task time. For example, 
under a more stressful environment a person may rush to complete a task (making it 
quicker) but this could increase the likelihood of making a mistake (which could 
result in the action needing repeating or indeed different action having to be taken). 


* Using anthropometric data it is possible to workout the proportion of the population 
who cannot use, fit or access a piece of equipment. This will allow a percentage to 
given about how many people could use it to escape. 


* Human physiological limitations can be defined. This can be used to establish the 
number of people who would be able to withstand the physical environment within 
which the evacuation is taking place. 


* Ahuman error assessment can be carried out on the four stages of evacuation when 
using a davit launched or freefall lifeboat system. This can be seen in [39]. This is 
only one area of error that could occur. The likelihood of an error occurring should 
be established on a case by case basis. 


e Research can be carried out to establish how long humans can survive in an escape 
made to the sea. The survivability of a person once they are in the water depends on, 
water temperature, sea state, physiology of the person, equipment they are using 
and their psychological state. 


This list is not exhaustive and the variables applicable to the specific scenarios need to 
be established. 


2.9.2.5 Useful Data 
This section is split into data applicable to three scenarios. These are: 


* Estimating the proportion of personnel who are unable to use particular evacuation 
systems 


* Human Factors in lifeboat evacuation modelling 


* Estimating fatalities during evacuation by other means 


2.9.2.5.1 Estimating the proportion of personnel who are unable to use particular 
evacuation systems 


Human Physiological Limitations 


Accelerations are experienced in accidental collisions (lifeboat striking the installation 
structure) or as part of the evacuation process (jumping into the sea from a height, 
freefall lifeboat launch, motions of the boat). Table 2.17 gives the average levels of 
linear acceleration (g), in different directions, which can be tolerated on a voluntary 
basis for specified periods). The figures are provided for acceleration in the x axes 
(forwards/backwards) and the z axes (upwards/ downwards) [40]. 


Table 2.17 Average tolerable levels of linear acceleration (units of g = 9.81 
m/s^) 


Direction of Exposure Time 


Acceleration 


0.3 
secs 


6 secs 


30 
secs 


1 min 


5 mins 


10 
mins 


20 
mins 
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+9, 15 11 8 5 4 3.5 
-Jz 7 6 3.5 3 2 1.5 1.2 
*gx 30 20 13 11 7 6 
-Jx 22 15 10.5 8 6 5 


An approach for evaluating acceleration effects in both conventional and free-fall 
lifeboats has been developed from the Dynamic Response Model [41], initially 
developed to study the response of pilots during emergency ejection from aircraft [42]. 


The Dynamic Response Model uses human tolerance criteria and lifeboat accelerations 
to infer the response of occupants to accelerations acting at the seat support. The 
method establishes an index for relating accelerations to potential injury. 


Three levels of risk for acceleration are defined in terms of the probability of injury, 
where a high level of risk carries a 50 percent probability of injury, a moderate level has 
a 5 percent probability and a low level has a 0.5 percent probability. The derived index 
values are presented in Table 2.18. 


Table 2.18 Dynamic Response Index limits for high, moderate and low risk 


levels 
Coordinate Dynamic Response Index limits (g) 
axis High Risk Moderate Low Risk 
Risk 

-X 46.0 35.0 28.0 
+y 22.0 17.0 14.0 
-y 22.0 17.0 14.0 
+Z 22.8 18.0 15.2 
-Z 15.0 12.0 9.0 


With regard to the launch of freefall lifeboats, the accelerations are designed to be 
within tolerable limits and precautions, such as headrest straps, are included in some 
designs to further safeguard the occupants. To date, experience has not revealed the 
launch process to be intolerable. 


The motion of the boat can cause seasickness. However, there is little evidence that 
seasickness contributes to death in a TEMPSC [43]. 


Psychological Restrictions 


The use of relatively new evacuation technology, in particular freefall lifeboats, has 
raised the issue of the willingness of personnel to use evacuation systems. 


Discussions with training centres give large differences ranging from no recorded 
refusals to as many as 1 in a 100. Reasons for refusals include concern over prior back 
pain/injury. 


It is suggested that the refusal rate among personnel would vary with the type of 
emergency event on the installation and with the prevailing weather conditions. 
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Refusals are likely to increase in poor weather conditions, but decrease with increasing 
perceived danger from the incident. 


2.9.2.5.2 Human Factors in lifeboat evacuation modelling 
Time taken to complete tasks 


Table 2.19 shows example times taken to complete the various tasks carried out during 
life boat launch. 


Table 2.19 Estimated Times for tasks in evacuation by traditional davit- 
launched lifeboat (TEMPSC) 


Task Nominal 
Time 
Identify boat is useable (i.e. functioning of systems are checked) 2 min 
Embark 6 min 
Assess information and decide to descend 30 secs 
Delay in descending (if there are difficulties with operating the 2 min 
descent system) 
Assess information and decide to disconnect 15 secs 
Delay with disconnection (if there are difficulties with operating 2 min 
the disconnection system) 
Disconnect 10 secs 
Release hooks manually (if there are difficulties with operating 3 min 
the primary release system) 
Manoeuvre from immediate vicinity of the installation 2 mins 


Task Specific Human Error Rates 


Table 2.20 and Table 2.21 present human error rates taken from a study that compared 
freefall and davit launched lifeboats [39]. 
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Table 2.20 Estimated human errors probabilities (HEP) and possible outcome in evacuation by freefall lifeboat 


Stage Error Contingent Conditions (necessary for the Estimated Outcome 
outcome to be realised) HEP (and 
EF!) 

Prepare to Hook release not checked Hook attached 107 (5) Death or injury 

embark Hook release check fails Catastrophic fault in hook system 10” (10) Death or injury 
Fail to correct hook release fault Catastrophic fault in hook system 10? (3) Death or injury 
Cradle orientation not checked Cradle not angled correctly after maintenance/drill 10° (10) Death or injury 
Cradle orientation check fails Cradle not positioned correctly after maintenance/drill 10? (10) Death or injury 
Fail to correct cradle orientation Cradle not positioned correctly after maintenance/drill 10? (3) Death or injury 
Protection systems not checked One or more protection systems has a catastrophic 10? (5) Death or injury 
Recovery winch connection not fault 10? (5) Occupants stranded in boat 
checked 10? (10) Occupants stranded in boat 
Fails to detach connected recovery 
winch 

Embarkation | Fail to embark (scenario dependent) 10? (100) Death or injury of an individual 
Stretcher carried into boat in wrong 10? (3) Departure delayed 
orientation 

Departure Straps not used correctly by a 10” (5) Death or injury to the 
passenger 10? (5) occupant 
Primary release system used 10? (5) Departure delayed 
incorrectly Departure delayed 
Secondary system used incorrectly 

Move Away Gearbox/prop check not done System has a fault 107 (10) Unmanoeuvrable boat 
Gearbox/prop check fails System has a fault 10? (10) Unmanoeuvrable boat 
Steering check not done System has a fault 10? (10) Unmanoeuvrable boat 
Steering system check fails System has a fault 10? (10) Unmanoeuvrable boat 
Starting controls not identified System has a fault 10? (5) Unmanoeuvrable boat 
Unable to start propulsion system System has a fault 10? (5) Unmanoeuvrable boat 


! EF = Error Factor 


! EF= Error Factor 
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Table 2.21 Estimated human errors probabilities (HEP) and possible outcome in evacuation by conventional davit- 
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launched lifeboat 


Stage Error Contingent Conditions (necessary Estimated | Possible outcome 
for the outcome to be realised) HEP (EF) 

Prepare to Davit structure not checked Catastrophic fault in structure 10? (5) Death or injury 

embark Davit structure check fails Catastrophic fault in structure 10? (3) Death or injury 
Winch system not checked Catastrophic fault in winch system 10? (10) Death or injury 
Winch system check fails Catastrophic fault in winch system 10? (10) Death or injury 
Maintenance Pendants not checked Maintenance pendants attached 10? (5) Departure Prevented 
Maintenance Pendants check fails Maintenance pendants attached 10° (10) Departure Prevented 
Winch system not checked Winch system not functioning 10° (10) Departure Prevented 
Winch system check fails Winch system not functioning 10? (10) Departure Prevented 
Hook release not checked Release system not functioning 10? (5) Occupants Stranded 
Hook release check fails Release system not functioning 10” (10) Occupants Stranded 
Fails to correct hook release fault Release system not functioning 10° (3) Occupants Stranded 
Winch system not checked Winch system fails during descent 10° (10) Occupants Stranded 
Winch system check fails Winch system fails during descent 10° (10) Occupants Stranded 

Embarkation | All passengers do not embark 10” (100) Death or injury of 
Stretcher-bound injured do not embark 10? (5) person 

Departure Primary release system used incorrectly 10? (5) Departure Delayed 
Secondary system (if available) used incorrectly 10? (5) Departure Delayed 
Brake release not continuous 10? (5) Departure Delayed 
Wrong controls selected 10? (5) Departure Delayed 
Primary hook release system controls not operated 10? (5) Departure Delayed 
Occupants do not know how to use hook release 10? (5) Departure Delayed 
Occupants don't know how to manually release hooks 10° (5) Departure Delayed 
Occupants do not know how to override hydrostatic hook 10° (10) Departure Delayed 
release system interlock 

Move Away Incorrect direction navigated 107 (5) Death or injury 
Secondary manual release mechanism not operated 10? (5) Departure Prevented 
Primary release mechanism not operated 10° (5) Departure Delayed 
Incorrect direction navigated 10° (5) Departure Delayed 
Gearbox/prop check not done 10? (10) Unmanoeuvr. Boat 
Gearbox/prop check fails 10? (10) Unmanoeuvr. Boat 
Steering check not done 10? (10) Unmanoeuvr. Boat 
Failure of steering check 10? (10) Unmanoeuvr. Boat 
Starting controls not identified 10? (5) Unmanoeuvr. Boat 
Unable to start propulsion system 10? (5) Unmanoeuvr. Boat 


‘EF = Error Factor 
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2.9.3 Techniques 


To complete this assessment a number of different techniques could be employed. 
There is no one correct answer and the structure, order and detail of the individual 
assessments will depend on the level of risk associated with the event and the level of 
detail required in the output. 


Software models are available for assessing lifeboat evacuation, examples being 
ESCAPE and FARLIFE. The ESCAPE programme is based on the Department of Energy 
study. The FARLIFE programme is a time based simulator which can use the same data 
and can include operational errors within the model 


2.9.3.4 Estimating fatalities during evacuation by other means 
2.9.3.1.1 Escape to Sea 
Table 2.22 gives statistics for fatality rates as guidelines. 


Table 2.22 Guidelines for fatality estimates 


Mode Factors Fatality ranges Data 
Source 
Personnel killed by Jumping height | 1-5% for low heights Judgement 
escaping direct to 
sea 5-20% for large heights | Judgement 


2.9.3.1.1.1 Survival in the water 
Table 2.23 gives survival time data or personnel not wearing survival suits [44]. 


Table 2.23 50% Survival Times for Conventionally Clothed Persons in still 


water [44] 
Water temperature Survival time for 
(°C) 50% of persons 
(hrs) 
2.5 0.75 
5 1 
7.5 1.5 
10 2 
12.5 3 
15 6 


For personnel wearing a survival suit the time is significantly increased. New designs 
have been shown to protect for over 4 hours at water temperature of 4°C [45]. Further 
information is presented in the Human Vulnerability datasheet. 


For the QRA analyst a key concern will be the number who have successfully donned 
survival suits and life jackets before entering the water. Given that personnel who 
escape to sea are unlikely to have had much time to prepare for their escape, the 
likelihood of them putting on the safety clothing will be dependent on its accessibility. 
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The analyst should consider whether the equipment is provided at the probable points 
of alighting the installation or whether they are stowed in remote lockers. 


The initial risk when entering the sea is from 'cold shock' which can cause you to inhale 
even when underwater due to an involuntary gasping reflex [46]. 


2.9.3.1.1.2 Recovery from the sea 


A review of the performance of attendant vessels in emergencies offshore [47] suggests 
that the success for recovering personnel from the sea ranges between approximately 
10% and 95% depending on the type of vessel and weather conditions. 


Once individuals have been in the water for 3hrs or more they will become scattered 
making locating and rescuing them more difficult. 


Once recovery has been achieved there is still the risk of post-immersion collapse. This 
could occur as the individual looses the hydrostatic assistance to circulation, leading to 
collapse of blood pressure and consequent reduced cardiac output [46]. 


2.9.3.1.1.3Modelling of Survivability 


Robertson [46] found the Wissler model to be the most usable computer model when 
predicting fatalities once they are in the water. This model uses the following 
assumptions that are useful to note: 


e Survival time will be reduced by 50% if the sea state is at Beaufort scale 3 rather 
than 0. This is due to the increase in activity required to stay afloat and prevent 
drowning. 


e Survival time will be reduced by 10% if there is a 1 litre leakage of water into the 
survival suit. 


e An insulated immersion suit could increase the survival time by a factor of ten when 
compared with a membrane suit. 


* This model uses data about survival rate and water temperature to assessment 
survivability. 


* Each percentage of body fat equates approximately to a 0.1?C rise in deep body 
temperature. 


Many parameters can be varied within this model. However, there are many variable 
which can effect a persons ability to survive and some of these are impossible to 
determine. For example, the psychological factor of ‘giving up’ or ‘determination’ could 
play a large part in a person’s ability to survive especially over drawn out period of time. 
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3.0 Additional Resources 
3.1 Legislation, guidelines and standards 
3.1.1 UK Legislation, Guidelines and Standards 


The European Commission now defines many of the legal requirements for the UK. 
Each Member State is then responsible for incorporating these requirements into their 
domestic law. 


The Health & Safety Commission (HSC) are the UK body that controls all health 
and safety issues within the UK. The Health and Safety Executive (HSE) are the 
government agency responsible for regulations and their enforcement through 
inspection and investigation. See http://www.hse.gov.uk/. 


3.1.2 Key Guidance and References 
3.1.2.1 HSE Publications 


http://www.hsebooks.co.uk/ 
http://www.hse.gov.uk/signpost/index.htm 


http://www.hmso.gov.uk/ 


e HSE (1990) Noise at work: Noise assessment, information and control: Guidance 
notes. HSE Books. 


e HSE (1995) Improving compliance with safety procedures: Reducing industrial 
violations. HSE Books. 


e HSE (1997) Successful health and safety management, HSG 65. HSE Books. 


e HSE (1998) Manual Handling: Guidance on Manual Handling Operations Regulations 
1992, L23. HSE Books. 


e HSE (1998) A guide to the Offshore Installations (Safety Representatives and Safety 
* Committees) Regulations 1989: Guidance on Regulations, L110. HSE Books. 


e HSE (1998) A guide to the Offshore Installations (Safety Case) Regulations 1992: 
Guidance on Regulations, L30. HSE Books. 


e HSE (1998) Safe use of lifting equipment: Approved code of practice and guidance 
for the Lifting Operations and Lifting Equipment Regulations 1998, L113. HSE Books. 


e HSE (1999) A guide to the Control of Major Accident Hazards Regulations 1999: 
Guidance on Regulations, L111. HSE Books. 


e HSE (1999) Reducing error and influencing behaviour, HSG 48. HSE Books. 
e HFRG (2000) Improving maintenance: A guide to reducing human error. HSE Books. 


3.1.2.2 British Standards 


http://bsonline.techindex.co.uk/ 


* BS EN ISO 9241-1 (1997) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 1: General introduction. 


e BS EN 9241-2 (1993) Ergonomics requirements for office work with visual display 
terminals (VDTs) - Part 2: Guidance on task requirements. 
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BS EN 9241-3 (1993) Ergonomics requirements for office work with visual display 
terminals (VDTs) - Part 3: Visual display requirements. 


BS EN ISO 9241-4 (1998) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 4: Keyboard requirements. 


BS EN ISO 9241-5 (1999) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 5: Workstation layout and postural requirement. 


BS EN ISO 9241-6 (2000) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 6: Guidance on the work environment. 


BS EN ISO 9241-7 (1998) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 7: Requirements for display with reflections. 


BS EN ISO 9241-8 (1998) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 8: Requirements for displayed colours. 


BS EN ISO 9241-9 (2000) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 9: Requirements for non-keyboard input devices. 


BS EN ISO 9241-10 (1996) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 10: Dialogue principles. 


BS EN ISO 9241-11 (1998) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 11: Guidance on usability. 


BS EN ISO 9241-12 (1999) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 12: Presentation of information. 


BS EN ISO 9241-13 (1999) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 13: User guidance. 


BS ISO 9241-14 (1997) Ergonomics requirements for office work with visual display 
terminals (VDTs) - Part 14: Menu dialogues. 


BS EN ISO 9241-15 (1998) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 15: Command dialogues. 


BS EN ISO 9241-16 (1999) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 16: Direct manipulation dialogues. 


BS EN ISO 9241-17 (1998) Ergonomics requirements for office work with visual 
display terminals (VDTs) - Part 17: Form-filling dialogues. 


BS EN ISO 7250 (1998) Basic human body measurements for technological design. 


DD 202 (1991) Ergonomics principles in the design of work systems Draft for 
development. 


BS EN 60073 (1997) Basic and safety principles for man-machine interface, marking 
and identification - Coding principles for indication devices and actuators. 


3.1.2.3 ISO Standards 
http://www.iso.ch/iso/en/ISOOnline.frontpage 


ISO 11064-1 (2000) Ergonomic design of control centres - Part 1: Principles for the 
design of control centres, Working draft. 


ISO 11064-2 (2000) Ergonomic design of control centres - Part 2: Principles for 
control suite arrangement. 
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e ISO 11064-3 (2000) Ergonomic design of control centres - Part 3: Control room 
layout. 


e ISO 11064-4 (2000) Ergonomic design of control centres - Part 4: Workstation layout 
and dimensions 


e ISO 11064-5 (2000) Ergonomic design of control centres - Part 5: Displays and 
controls. 


e ISO 11064-6 (2000) Ergonomic design of control centres - Part 6: Environmental 
requirements, Working draft. 


* ISO 11064-7 (2000) Ergonomic design of control centres - Part 7: Principles for the 
evaluation of control centres. 


* |SO 11064-8 (2000) Ergonomic design of control centres - Part 8: Ergonomics 
requirements for specific applications. 


3.2 Key Societies and Centres 


There are several main bodies worldwide that cover Human Factors professionals. 


3.2.1 United Kingdom 


The Ergonomics Society is the professional body within the UK for ergonomics and 
Human Factors practitioners. Individual registered members are required to have 
completed an accredited university degree and have at least three years professional 
experience. The Society outlines a Code of Conduct with which all members are 
required to comply. For further information see http://www.ergonomics.org.uk/ 


3.2.2 Europe 


The Centre for Registration of European Ergonomists (CREE) holds a similar 
register. Individuals must have a broad-based ergonomics degree qualification, together 
with further experience in the use and application of ergonomics in practical situations 
over a period of at least two years. The European Ergonomist category is approximately 
equivalent to the Ergonomic Society’s Registered Member grade. For further 
information see http://www.eurerg.org/ 


The Human Factors and Ergonomics Society, Europe Chapter, is organised to 
serve the needs of the Human Factors profession in Europe. This is a sub-society of the 
US-based Human Factors and Ergonomics Society. For further information about their 


aims and roles see http://www.hfes-europe.org/ 


Other ergonomics and Human Factors societies exist throughout Europe. Further 
information can be found at the following websites: 


* Federation of European Ergonomics Societies: http://www.fees-network.org/ 
* Irish Ergonomics Society: http://www.ul.ie/-ies/ 

* Society for French Speaking Ergonomists: http://www.ergonomie-self.org/ 

e German Ergonomics Society: http://www.gfa-online.de/englisch/english.php 

e Dutch ergonomics Society: http://www.ergonoom.nl/NVvE/en 


* Italian Ergonomics Society: http://www.societadiergonomia.it/ 
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e Hellenic Ergonomics Society: http://www.ergonomics.gr/index en.htm 
* Belgian Ergonomics Society: http://www.besweb.be/ 


* Swiss Ergonomics Society: http://www.swissergo.ch/en/index.php 


3.2.3 Scandinavia 


Ergonomics has a high profile in Scandinavian countries. There are several national 
societies: 


* Norwegian Ergonomics Society: http://www.ergonom.no/ (Nowegian only) 


e Swedish Ergonomics Society: http://www.ergonomisallskapet.se/ (Swedish 
Only) 
* Finnish Ergonomics Society: http://www.ergonomiayhdistys.fi/ 


Addresses and further details of how to contact these societies can be found at the 
Nordic Ergonomics Society's website 


http://www.ergonom.no/Html english/s02a01c01.html 


3.2.4 United States and Canada 


The Human Factors & Ergonomics Society encourages education and training for 
those entering the Human Factors and ergonomics profession and for those who 
conceive, design, develop, manufacture, test, manage, and participate in systems. For 
more information see http://hfes.org/ 

Association of Canadian Ergonomists (Formerly the Human Factors Association 
of Canada) http://www.ace-ergocanada.ca/ 


3.2.5 South America 


* Argentinean Ergonomics Society: www.geocities.com/CapeCanaveral/6616/ 
(Spanish only) 


* Chilean Ergonomics Society: http://sochergo.ergonomia.cl/ (Chilean Only) 


3.2.06 Australia and New Zealand 


The Ergonomics Society of Australia (ESA) is the professional organisation of 
Ergonomists in Australia. Its purpose is to promote the principles and practice of 
ergonomics throughout the community. It has over 500 members. ESA is one of 36 
federated societies worldwide that comprise the International Ergonomics Association 
(IEA). See http://www.ergonomics.org.au/ 


New Zealand Ergonomics Society (NZES) can be found at 
http://www.ergonomics.org.nz/ 


3.2.7 Rest of the World 


The International Ergonomics Association is the federation of ergonomics and 
Human Factors societies from around the world. The mission of IEA is to elaborate and 
advance ergonomics science and practice, and to improve the quality of life by 
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expanding its scope of application and contribution to society. The IEA is governed by 
the Council with representatives from the federated societies. Day-to-day administration 
is performed by the Executive Committee that consists of the elected Officers and 
Chairs of the Standing Committees. See http://www.iea.cc/ 


Further websites available for the rest of the world include: 


The Hong Kong Ergonomics Society: http://www.ergonomics.org.hk/ 
Iranian Ergonomics Society: http://www.modares.ac.ir/ies/ 

Ergonomics Society of Korean: http://esk.or.kr/(Korean Only) 

Ergonomics Society of Taiwan: http://esk.or.kr/ 

Ergonomics Society of Thailand: http://www.est.or.th/index.html (Thai Only) 
Indian Society of Ergonomics: http://www.ise.org.in/ 


Ergonomics Society of South Africa has its own website at 
http://www.ergonomics-sa.org.za/ 
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